Mailing List Archive

Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
Hi guys
What does
Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
mean?

Thanks
Pedro

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Broken.Media.JPEG.JFIFdupAppMarker [ In reply to ]
Hi there,

On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:

> What does
> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> mean?

It means that libclamav found something questionable in data which it
identified as of type JPEG. It's only reported by clamd if an option
in the configuration is on. The default is off.

8<----------------------------------------------------------------------
$ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker clamav-0.103.2/libclamav/jpeg.c

if (SCAN_HEURISTIC_BROKEN_MEDIA) {
if (found_app && num_JFIF > 0) {
cli_warnmsg("JPEG: Duplicate Application Marker found (JFIF)\n");
cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d, SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
cli_append_possibly_unwanted(ctx, "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
status = CL_EPARSE;
goto done;
}
if (!(segment == 1 ||
(segment == 2 && found_comment) ||
8<----------------------------------------------------------------------

See

https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format

for more information about the format.

It's not unusual to find broken images in things like a browser cache
and it might not be a concern, but in mail or elsewhere it might mean
that something should be investigated.

A little more context might help.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Broken.Media.JPEG.JFIFdupAppMarker [ In reply to ]
Hi
Thanks for the answer.
Yes, I did already look at the C code as something to do with jpeg format.
So JFIFdupAppMarker is an attention to something being wrong?
And yes I have
AlertBrokenMedia yes
in clamd.conf

Well, I keep looking.
I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.




G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> escreveu
no dia sábado, 17/04/2021 à(s) 11:40:
>
> Hi there,
>
> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
>
> > What does
> > Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> > mean?
>
> It means that libclamav found something questionable in data which it
> identified as of type JPEG. It's only reported by clamd if an option
> in the configuration is on. The default is off.
>
> 8<----------------------------------------------------------------------
> $ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker clamav-0.103.2/libclamav/jpeg.c
>
> if (SCAN_HEURISTIC_BROKEN_MEDIA) {
> if (found_app && num_JFIF > 0) {
> cli_warnmsg("JPEG: Duplicate Application Marker found (JFIF)\n");
> cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d, SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
> cli_append_possibly_unwanted(ctx, "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
> status = CL_EPARSE;
> goto done;
> }
> if (!(segment == 1 ||
> (segment == 2 && found_comment) ||
> 8<----------------------------------------------------------------------
>
> See
>
> https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format
>
> for more information about the format.
>
> It's not unusual to find broken images in things like a browser cache
> and it might not be a concern, but in mail or elsewhere it might mean
> that something should be investigated.
>
> A little more context might help.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Broken.Media.JPEG.JFIFdupAppMarker [ In reply to ]
Hi there,

On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> G.W. Haywood via clamav-users ... sábado, 17/04/2021 ...
>> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
>>
>>> What does
>>> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
>>> mean?
>>
>> It means that libclamav found something questionable in data which it
>> identified as of type JPEG. It's only reported by clamd if an option
>> in the configuration is on. The default is off.
>> ...
>> It's not unusual to find broken images in things like a browser cache
>> and it might not be a concern, but in mail or elsewhere it might mean
>> that something should be investigated.
>>
>> A little more context might help.
>
> Yes, I did already look at the C code as something to do with jpeg format.
> So JFIFdupAppMarker is an attention to something being wrong?

Yes. The data violates the format specification. From just that bit
of information I have I have no idea how likely it is to be malicious.
Some images are generated on the fly, and the code doing that might be
less than perfect so you could be seeing a mistake rather than malice.

> And yes I have
> AlertBrokenMedia yes
> in clamd.conf
>
> Well, I keep looking.
> I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.

Obviously if it's in email you can easily investigate the source, and
if it's malicious you can also easily prevent it from being passed to
any mailbox. I don't know how common malicious JPEG files are in mail
but I suspect it's "not very". Can you tell us more about the source?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Broken.Media.JPEG.JFIFdupAppMarker [ In reply to ]
Hi again.

Well, the source ...
.. you known users most of the time have no idea what are doing.
Seems a usual correspondent but, who knows.
Since mail is responsible for 99% of malware and dirt and
because users hate security, bad for day to day work the only solution
is using clamav-milter whitelist addresses.
Mail is a complete anarchy, no way blocking failed SPF, DKIM signatures,
DMARC, etc
Because no one does anything and so if you block a lot of important
emails block.

Media all around talk about security but no one does nothing.
Even most important banks don't even have DNSSEC and when they have is
incorrect.

Dkim? To much trouble
Dnssec? To much trouble.

And with all he monopoly on the clouds things get even worse

G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> escreveu
no dia sábado, 17/04/2021 à(s) 12:27:
>
> Hi there,
>
> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> > G.W. Haywood via clamav-users ... sábado, 17/04/2021 ...
> >> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> >>
> >>> What does
> >>> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> >>> mean?
> >>
> >> It means that libclamav found something questionable in data which it
> >> identified as of type JPEG. It's only reported by clamd if an option
> >> in the configuration is on. The default is off.
> >> ...
> >> It's not unusual to find broken images in things like a browser cache
> >> and it might not be a concern, but in mail or elsewhere it might mean
> >> that something should be investigated.
> >>
> >> A little more context might help.
> >
> > Yes, I did already look at the C code as something to do with jpeg format.
> > So JFIFdupAppMarker is an attention to something being wrong?
>
> Yes. The data violates the format specification. From just that bit
> of information I have I have no idea how likely it is to be malicious.
> Some images are generated on the fly, and the code doing that might be
> less than perfect so you could be seeing a mistake rather than malice.
>
> > And yes I have
> > AlertBrokenMedia yes
> > in clamd.conf
> >
> > Well, I keep looking.
> > I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.
>
> Obviously if it's in email you can easily investigate the source, and
> if it's malicious you can also easily prevent it from being passed to
> any mailbox. I don't know how common malicious JPEG files are in mail
> but I suspect it's "not very". Can you tell us more about the source?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Broken.Media.JPEG.JFIFdupAppMarker [ In reply to ]
Hi again.

Well, the source ...
.. you known users most of the time have no idea what are doing.
Seems a usual correspondent but, who knows.
Since mail is responsible for 99% of malware and dirt and
because users hate security, bad for day to day work the only solution
is using clamav-milter whitelist addresses.
Mail is a complete anarchy, no way blocking failed SPF, DKIM signatures,
DMARC, etc
Because no one does anything and so if you block a lot of important
emails block.

Media all around talk about security but no one does nothing.
Even most important banks don't even have DNSSEC and when they have is
incorrect.

Dkim? To much trouble
Dnssec? To much trouble.

And with all he monopoly on the clouds things get even worse

G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> escreveu
no dia sábado, 17/04/2021 à(s) 12:27:
>
> Hi there,
>
> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> > G.W. Haywood via clamav-users ... sábado, 17/04/2021 ...
> >> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> >>
> >>> What does
> >>> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> >>> mean?
> >>
> >> It means that libclamav found something questionable in data which it
> >> identified as of type JPEG. It's only reported by clamd if an option
> >> in the configuration is on. The default is off.
> >> ...
> >> It's not unusual to find broken images in things like a browser cache
> >> and it might not be a concern, but in mail or elsewhere it might mean
> >> that something should be investigated.
> >>
> >> A little more context might help.
> >
> > Yes, I did already look at the C code as something to do with jpeg format.
> > So JFIFdupAppMarker is an attention to something being wrong?
>
> Yes. The data violates the format specification. From just that bit
> of information I have I have no idea how likely it is to be malicious.
> Some images are generated on the fly, and the code doing that might be
> less than perfect so you could be seeing a mistake rather than malice.
>
> > And yes I have
> > AlertBrokenMedia yes
> > in clamd.conf
> >
> > Well, I keep looking.
> > I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.
>
> Obviously if it's in email you can easily investigate the source, and
> if it's malicious you can also easily prevent it from being passed to
> any mailbox. I don't know how common malicious JPEG files are in mail
> but I suspect it's "not very". Can you tell us more about the source?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Broken.Media.JPEG.JFIFdupAppMarker [ In reply to ]
It's worse than that. Not only do almost all users ignore security (as do many organizations), it seems that every new piece or version of software or hardware *reduces* security. And this applies to some new protocols (remember WiFi's WEP debacle?) and some extensions to or uses of existing ones.

It's all done in the name of convenience, and, in particular, striving for universal inter-connectedness. For example, I have fairly recently started receiving spam TXT messages containing links to who-knows-what. Yet (some) Samsung smart phones urge you to "share your contact list with others" -- and this admonition can't be disabled, it seems.

Another example is we got a new air-conditioner that has WiFi built-in, but it's only usable via the GE/Haier server, not locally (which might actually be useful). Luckily, the WiFi can be disabled (supposedly), so maybe this will stop it from being part of an IoT botnet, since its tiny computer likely can't get security updates.

In other words, securing email may be the least of our problems in the near future.


On Sat, 17 Apr 2021 13:14:40 +0100
Pedro Guedes via clamav-users <clamav-users@lists.clamav.net> wrote:

> Hi again.
>
> Well, the source ...
> .. you known users most of the time have no idea what are doing.
> Seems a usual correspondent but, who knows.
> Since mail is responsible for 99% of malware and dirt and
> because users hate security, bad for day to day work the only solution
> is using clamav-milter whitelist addresses.
> Mail is a complete anarchy, no way blocking failed SPF, DKIM signatures,
> DMARC, etc
> Because no one does anything and so if you block a lot of important
> emails block.
>
> Media all around talk about security but no one does nothing.
> Even most important banks don't even have DNSSEC and when they have is
> incorrect.
>
> Dkim? To much trouble
> Dnssec? To much trouble.
>
> And with all he monopoly on the clouds things get even worse

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Broken.Media.JPEG.JFIFdupAppMarker [ In reply to ]
Hi Pedro,

Yes the alert you're seeing means something is unusual with the format of the JPEG that is being scanned.

The intention with AlertBrokenMedia is to detect files that don't appear to follow the specification, just in case there is some vulnerability we don't know about and in case the file is an exploit. It is far more likely that the file was created by some software that is just a little careless and doesn't quite adhere to the spec, but there is a possibility that the JPEG carries an exploit for some vulnerable image parser.

Basically, AlertBrokenMedia is for people who prefer to be very cautious.

-Micah

> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> Pedro Guedes via clamav-users
> Sent: Saturday, April 17, 2021 4:12 AM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Cc: Pedro Guedes <sixtriple626@gmail.com>
> Subject: Re: [clamav-users]
> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
>
> Hi
> Thanks for the answer.
> Yes, I did already look at the C code as something to do with jpeg format.
> So JFIFdupAppMarker is an attention to something being wrong?
> And yes I have
> AlertBrokenMedia yes
> in clamd.conf
>
> Well, I keep looking.
> I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.
>
>
>
>
> G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> escreveu
> no dia sábado, 17/04/2021 à(s) 11:40:
> >
> > Hi there,
> >
> > On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> >
> > > What does
> > > Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> > > mean?
> >
> > It means that libclamav found something questionable in data which it
> > identified as of type JPEG. It's only reported by clamd if an option
> > in the configuration is on. The default is off.
> >
> > 8<--------------------------------------------------------------------
> > -- $ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> > clamav-0.103.2/libclamav/jpeg.c
> >
> > if (SCAN_HEURISTIC_BROKEN_MEDIA) {
> > if (found_app && num_JFIF > 0) {
> > cli_warnmsg("JPEG: Duplicate Application Marker found
> (JFIF)\n");
> > cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d,
> SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
> > cli_append_possibly_unwanted(ctx,
> "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
> > status = CL_EPARSE;
> > goto done;
> > }
> > if (!(segment == 1 ||
> > (segment == 2 && found_comment) ||
> > 8<--------------------------------------------------------------------
> > --
> >
> > See
> >
> > https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format
> >
> > for more information about the format.
> >
> > It's not unusual to find broken images in things like a browser cache
> > and it might not be a concern, but in mail or elsewhere it might mean
> > that something should be investigated.
> >
> > A little more context might help.
> >
> > --
> >
> > 73,
> > Ged.
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml