Best I can tell, the Norton filter looks something like this:
\xFF\xD8.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01].*
AnthraX101
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
That would seem to be in the Char_Header function...
-Original Message-
From: Aaron Horst [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 28, 2004 3:08 PM
To: [EMAIL PROTECTED]
Cc: Todd Towles
Subject: RE: FW: [Full-Disclosure] JPEG AV Detection
Best I can tell, the Norton filter
After looking in to what the AV companies base their signature on, it
appears that they use the \xff\xfe\x00\x00 or \xff\xfe\x00\x01 string in
the vulnerable JPEG. If you change the size to a valid size, the AV is
not triggered.
I know there is some talk about other sections being vulnerable