Re: [clamav-users] Broken media detection
Ged is right to be wary about sharing files with the mailing list. Next time please put it in an encrypted zip and give us the password so we can choose to extract it if desired – and preferably share it by some other means like a link to a file sharing service instead of attaching it to an email. That said, I took a peek at the file. When you say “spoiled by ransomware” I think you mean “encrypted by ransomware”. Though the file retains its .jpg file name extension, the file contents appear encrypted. If you open it with a hex editor, the bytes look “random”. The reason ClamAV’s –alert-broken-media option isn’t detecting anything is that ClamAV doesn’t use file extensions to determine file type; ClamAV tries to determine the type by evaluating the file contents. In this case, since the file has been encrypted there is no way to know what type the file is. In cases like this, ClamAV usually scans the file as raw binary, or in this case it thinks it is UTF16-BE. In any case, because ClamAV has no idea it used to a JPEG so the feature doesn’t cause an alert. Regards, Micah From: clamav-users On Behalf Of Zvi Kave via clamav-users Sent: Thursday, June 24, 2021 1:37 AM To: clamav-users@lists.clamav.net Cc: Zvi Kave Subject: Re: [clamav-users] Broken media detection Hi Arnaud, When I try to open it, I get error message: agam.jpg: It looks like we don't support this file format. File is attached here. Thanks, Zvi On 6/24/2021 11:19 AM, Arnaud Jacques wrote: Hello Zvi, Le 24/06/2021 à 10:09, Zvi Kave via clamav-users a écrit : Hi, I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect spoiled JPEG files by RYUK ransomware. Seems that it was not detected - ag.jpg OK. Perhaps I use it not correctly? Perhaps JPG file format is strictly correct (even if the datas of the image are corrupted). Please advise . You should send your sample to https://www.clamav.net/reports/malware ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Broken media detection
Hi there, On Thu, 24 Jun 2021, Zvi Kave via clamav-users wrote: On 6/24/2021 11:19 AM, Arnaud Jacques wrote: Le 24/06/2021 à 10:09, Zvi Kave via clamav-users a écrit : I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect spoiled JPEG files by RYUK ransomware. ... Please advise . You should send your sample to https://www.clamav.net/reports/malware ... agam.jpg: ... File is attached here. You asked for advice. The excellent advice given to you by M. Jacques was to submit the potentially dangerous file to the ClamAV reporting site - not to send it to thousands of people on this mailing list. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Broken media detection
Arnaud, I understand now. Thank you. Zvi On 6/24/2021 11:55 AM, Arnaud Jacques wrote: Zvi, When I try to open it, I get error message: agam.jpg: It looks like we don't support this file format. If you look at the content of the file with an hexadecimal editor, you see garbage. It has no known file format. The file format is defined with the content of a file, not with the filename/extension. For me, and for ClamAV, it is not an image. Verify with "file" command line tool : #file agam.jpg agam.jpg: data ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Broken media detection
Zvi, When I try to open it, I get error message: agam.jpg: It looks like we don't support this file format. If you look at the content of the file with an hexadecimal editor, you see garbage. It has no known file format. The file format is defined with the content of a file, not with the filename/extension. For me, and for ClamAV, it is not an image. Verify with "file" command line tool : #file agam.jpg agam.jpg: data -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Broken media detection
Hello Zvi, Le 24/06/2021 à 10:09, Zvi Kave via clamav-users a écrit : Hi, I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect spoiled JPEG files by RYUK ransomware. Seems that it was not detected - ag.jpg OK. Perhaps I use it not correctly? Perhaps JPG file format is strictly correct (even if the datas of the image are corrupted). Please advise . You should send your sample to https://www.clamav.net/reports/malware -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Broken media detection
Hi, I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect spoiled JPEG files by RYUK ransomware. Seems that it was not detected - ag.jpg OK. Perhaps I use it not correctly? Please advise . I use clamav 0.103.3 . Thanks, Zvi ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
