On Oct 17, 2004, at 22:49, Tomasz Kojm wrote:
On Sun, 17 Oct 2004 21:36:22 -0500 (CDT) Damian Menscher <[EMAIL PROTECTED]> wrote:
For those running 0.80rc4 or 0.80 final, you can catch all jpeg exploits with the following signature (add it to a local.ndb file in your database directory):
Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff
Temporarily you can use (to catch Roxe):
Exploit.JPEG.Comment.5:5:0:ffd8ffe0(00|01):3
but it may produce false positive alerts as well.
It produced an unacceptable amount of false positives (1 out of 3) and it didn't always flag the same image, sometimes it passed, some times it didn't.
-- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 04:48:20 CEST 2004 _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
-- Dale
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users