[clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
G.W. Haywood
clamav at jubileegroup.co.uk
Sat Apr 17 10:39:20 UTC 2021
Hi there,
On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> What does
> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> mean?
It means that libclamav found something questionable in data which it
identified as of type JPEG. It's only reported by clamd if an option
in the configuration is on. The default is off.
8<----------------------------------------------------------------------
$ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker clamav-0.103.2/libclamav/jpeg.c
if (SCAN_HEURISTIC_BROKEN_MEDIA) {
if (found_app && num_JFIF > 0) {
cli_warnmsg("JPEG: Duplicate Application Marker found (JFIF)\n");
cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d, SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
cli_append_possibly_unwanted(ctx, "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
status = CL_EPARSE;
goto done;
}
if (!(segment == 1 ||
(segment == 2 && found_comment) ||
8<----------------------------------------------------------------------
See
https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format
for more information about the format.
It's not unusual to find broken images in things like a browser cache
and it might not be a concern, but in mail or elsewhere it might mean
that something should be investigated.
A little more context might help.
--
73,
Ged.
More information about the clamav-users
mailing list