ClamAV False positives on "Exploit.JPEG.Comment.1"?????

Julian Field mailscanner at ecs.soton.ac.uk
Tue Oct 19 16:29:06 IST 2004 

<x-flowed>
As mentioned elsewhere on this list today, upgrade to the stable release of
ClamAV.

At 16:12 19/10/2004, you wrote:
>Hello All,
>
>This morning I have two "regular" senders, one which on my servers, another
>from outside who regularly sends to a user on our servers. They've both
>sent multiple JPeG files (which is an unusual occurrence) and they all are
>tagged by ClamAV as:
>
>     Report: ClamAV: image006.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image007.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image008.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image001.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image003.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image004.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image005.jpg contains Exploit.JPEG.Comment.1
>
>AND:
>
>     Report: ClamAV: msg-9197-33.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-34.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-35.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-36.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-31.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-32.jpg contains Exploit.JPEG.Comment.1
>
>I've pulled them out of the Quarantine and scanned them locally with Norton
>AV (I just checked Live Update and I'm good). They test negative. Any idea
>what is going on here?
>
>Thanks,
>Glenn
>
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>http://www.sng.ecs.soton.ac.uk/mailscanner/
>Configuration by Glenn Parsons dnsadmin-at-1bigthink.com
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list