[clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

Pedro Guedes sixtriple626 at gmail.com
Sat Apr 17 11:12:02 UTC 2021 

Hi
Thanks for the answer.
Yes, I did already look at the C code as something to do with jpeg format.
So JFIFdupAppMarker is an attention to something being wrong?
And yes I have
AlertBrokenMedia yes
in clamd.conf

Well, I keep looking.
I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.




G.W. Haywood via clamav-users <clamav-users at lists.clamav.net> escreveu
no dia sábado, 17/04/2021 à(s) 11:40:
>
> Hi there,
>
> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
>
> > What does
> > Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> > mean?
>
> It means that libclamav found something questionable in data which it
> identified as of type JPEG.  It's only reported by clamd if an option
> in the configuration is on.  The default is off.
>
> 8<----------------------------------------------------------------------
> $ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker clamav-0.103.2/libclamav/jpeg.c
>
>                      if (SCAN_HEURISTIC_BROKEN_MEDIA) {
>                          if (found_app && num_JFIF > 0) {
>                              cli_warnmsg("JPEG: Duplicate Application Marker found (JFIF)\n");
>                              cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d, SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
>                              cli_append_possibly_unwanted(ctx, "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
>                              status = CL_EPARSE;
>                              goto done;
>                          }
>                          if (!(segment == 1 ||
>                                (segment == 2 && found_comment) ||
> 8<----------------------------------------------------------------------
>
> See
>
> https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format
>
> for more information about the format.
>
> It's not unusual to find broken images in things like a browser cache
> and it might not be a concern, but in mail or elsewhere it might mean
> that something should be investigated.
>
> A little more context might help.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list