Hi there,
On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> What does
> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> mean?
It means that libclamav found something questionable in data which it
identified as of type JPEG. It's only reported by clamd if an option
in the configuration is on. The default is off.
8<----------------------------------------------------------------------
$ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker clamav-0.103.2/libclamav/jpeg.c
if (SCAN_HEURISTIC_BROKEN_MEDIA) {
if (found_app && num_JFIF > 0) {
cli_warnmsg("JPEG: Duplicate Application Marker found (JFIF)\n");
cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d, SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
cli_append_possibly_unwanted(ctx, "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
status = CL_EPARSE;
goto done;
}
if (!(segment == 1 ||
(segment == 2 && found_comment) ||
8<----------------------------------------------------------------------
See
https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format for more information about the format.
It's not unusual to find broken images in things like a browser cache
and it might not be a concern, but in mail or elsewhere it might mean
that something should be investigated.
A little more context might help.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml