[clamav-users] LibClamAV warning, cli_pdf unimplemented filter DCTDECODE
klin at sourcefire.com
Thu May 19 14:58:07 EDT 2016
This warning occurs in the new experimental pdf filter rework that is not
part of any existing ClamAV releases (as of 0.99.2). Thus as a disclaimer,
it must be stated that the version of ClamAV being used may be unstable or
incomplete especially with the experimental section that this warnings is
A little background on PDFs:
PDF documents are made up of entities called objects which store that
various bits of content that make up the document. Taken from the PDF spec:
"A *filter *is an optional part of the specification of a stream,
indicating how the data in the stream must be decoded before it is used". As
a result, in order to properly scan the objects of a PDF document, the
objects need to be decoded according to their list of filters.
DCTDecode is one of a number of PDF filters that can be applied to PDF
objects; in particular: "grayscale or color image data that has been encoded
in the JPEG baseline format" (PDF Spec). If you are interested in more
about filters or PDFs, the PDF specification is freely available online and
explains things in greater detail.
On LibClamAV and cli_pdf:
LibClamAV's internal function to handle PDF documents is cli_pdf.
In a nutshell, this warning occurs because ClamAV encountered a DCTDecode
filter but does not have a implementation to decode that filter yet. It is
possible but unlikely that associated document is malicious.
On Thu, May 19, 2016 at 12:43 AM, Rick Valenzuela <lists at rickv.com> wrote:
> Where can I find info on this warning when running clamscan?:
> LibClamAV Warning: cli_pdf: unimplemented filter type  => DCTDECODE
> I've been searching, but I can't find much on LibClamAV and filters,
> much less cli_pdf or DCTDECODE.
> Best regards,
> Rick Valenzuela
> Shanghai, China
> Help us build a comprehensive ClamAV guide:
More information about the clamav-users