Ged is right to be wary about sharing files with the mailing list. Next time please put it in an encrypted zip and give us the password so we can choose to extract it if desired – and preferably share it by some other means like a link to a file sharing service instead of attaching it to an email.
That said, I took a peek at the file. When you say “spoiled by ransomware” I think you mean “encrypted by ransomware”. Though the file retains its .jpg file name extension, the file contents appear encrypted. If you open it with a hex editor, the bytes look “random”.
The reason ClamAV’s –alert-broken-media option isn’t detecting anything is that ClamAV doesn’t use file extensions to determine file type; ClamAV tries to determine the type by evaluating the file contents. In this case, since the file has been encrypted there is no way to know what type the file is. In cases like this, ClamAV usually scans the file as raw binary, or in this case it thinks it is UTF16-BE. In any case, because ClamAV has no idea it used to a JPEG so the feature doesn’t cause an alert.
Regards,
Micah
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Zvi Kave via clamav-users
Sent: Thursday, June 24, 2021 1:37 AM
To: clamav-users@lists.clamav.net
Cc: Zvi Kave <zvi.kave@razlee.com>
Subject: Re: [clamav-users] Broken media detection
Hi Arnaud,
When I try to open it, I get error message:
agam.jpg:
It looks like we don't support this file format.
File is attached here.
Thanks,
Zvi
On 6/24/2021 11:19 AM, Arnaud Jacques wrote:
Hello Zvi,
Le 24/06/2021 à 10:09, Zvi Kave via clamav-users a écrit :
Hi,
I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect
spoiled JPEG files by RYUK ransomware.
Seems that it was not detected - ag.jpg OK.
Perhaps I use it not correctly?
Perhaps JPG file format is strictly correct (even if the datas of the image are corrupted).
Please advise .
You should send your sample to
https://www.clamav.net/reports/malware
