ClamAV False positives on "Exploit.JPEG.Comment.1"?????

Chris Conn cconn at ABACOM.COM
Tue Oct 19 16:21:13 IST 2004 

<x-flowed>
DNSAdmin wrote:
> Hello All,
>
> This morning I have two "regular" senders, one which on my servers, another
> from outside who regularly sends to a user on our servers. They've both
> sent multiple JPeG files (which is an unusual occurrence) and they all are
> tagged by ClamAV as:
>
>     Report: ClamAV: image006.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image007.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image008.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image001.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image003.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image004.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image005.jpg contains Exploit.JPEG.Comment.1
>
> AND:
>
>     Report: ClamAV: msg-9197-33.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-34.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-35.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-36.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-31.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-32.jpg contains Exploit.JPEG.Comment.1
>
> I've pulled them out of the Quarantine and scanned them locally with Norton
> AV (I just checked Live Update and I'm good). They test negative. Any idea
> what is going on here?

Hello,

Asking this question these days is treading on thin ice...someone might
call you an egoist, a caveman or other various labels =)

As many, you are probably using a pre-built RPM or what have you of a
0.80-rcXX release candidate, and it is out of date as of yesterday
(which makes anything before it very obsolete and quite antiquated...).
  OR, you are still using signature version 535, which had some sort of
matching problem with .jpg files from what I understand from the release
information of 536 which say:

Notes: Re-issue these sigs, modified to work around a scanning error.
Notes: daily:535 reverted to previous signatures.


So take your pick, and choose your words for this list =)  And upgrade
to 0.80 release.

Been there, done that,

Chris

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list