On Thu, 2004-09-30 at 08:26, Damian Menscher wrote: > false positive. Only the third rule: > Exploit.JPEG.Comment.3:5:0:ffd8fffe00(00|01) > is 100% safe. (Note that I work for the Imaging Technology Group, so a > false positive on a jpeg would be a Very Bad Thing. And even a 0.01% > failure rate is bad when you have 1765217 jpegs.) > > Of course, one option would be to handle a .jpg in the same way as a > .zip, .tar, etc and actually look at it with an understanding of the > file format. That means not scanning the comments themselves, only the > data headers. Of course, that means writing an entire scanning module > just for .jpg files. This does NOT scale well. >
CVS contains some code to parse JPEG files *only* when they match against a Exploit.JPEG.Comment signature. This should remove false positives, and hopefully still not miss any real samples. -trog
signature.asc
Description: This is a digitally signed message part
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
