On Oct 17, 2004, at 22:49, Tomasz Kojm wrote:On Sun, 17 Oct 2004 21:36:22 -0500 (CDT) Damian Menscher <[EMAIL PROTECTED]> wrote:
For those running 0.80rc4 or 0.80 final, you can catch all jpeg exploits with the following signature (add it to a local.ndb file in your database directory):
Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff
Temporarily you can use (to catch Roxe):
Exploit.JPEG.Comment.5:5:0:ffd8ffe0(00|01):3
but it may produce false positive alerts as well.
It produced an unacceptable amount of false positives (1 out of 3) and it didn't always flag the same image, sometimes it passed, some times it didn't.
Is this something you can share? I tested my signature pretty extensively. No false positives in 250 images, and caught all 3 infected jpegs I threw at it. I'm really interested in seeing any false positives or false negatives it might have.
Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
