[clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

[G.W. Haywood]

Hi there,

On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> G.W. Haywood via clamav-users ... sábado, 17/04/2021 ...
>> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
>>
>>> What does
>>> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
>>> mean?
>>
>> It means that libclamav found something questionable in data which it
>> identified as of type JPEG.  It's only reported by clamd if an option
>> in the configuration is on.  The default is off.
>> ...
>> It's not unusual to find broken images in things like a browser cache
>> and it might not be a concern, but in mail or elsewhere it might mean
>> that something should be investigated.
>>
>> A little more context might help.
> 
> Yes, I did already look at the C code as something to do with jpeg format.
> So JFIFdupAppMarker is an attention to something being wrong?

Yes.  The data violates the format specification.  From just that bit
of information I have I have no idea how likely it is to be malicious.
Some images are generated on the fly, and the code doing that might be
less than perfect so you could be seeing a mistake rather than malice.

> And yes I have
> AlertBrokenMedia yes
> in clamd.conf
>
> Well, I keep looking.
> I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.

Obviously if it's in email you can easily investigate the source, and
if it's malicious you can also easily prevent it from being passed to
any mailbox.  I don't know how common malicious JPEG files are in mail
but I suspect it's "not very".  Can you tell us more about the source?

-- 

73,
Ged.