ClamAV False positives on "Exploit.JPEG.Comment.1"?????

Leonardo Helman mailscanner at LISTS.COM.AR
Tue Oct 19 18:43:05 IST 2004


A little thing more about this:

The same as the other two threads happened here,
but before changing the clamscan from 0.80rc3 to 0.80
almost at 13:00 GMT, there was this update to the daily.cvd database:

-------------------------------------------------------------
ClamAV databases updated (2004.10.19 12:59 +0000): daily.cvd
version: 540

Submission: n/a
Sender: Trog
Updated: Exploit.JPEG.Comment.1
-------------------------------------------------------------

This update has caused some normal jpg's don't report as virus
with the 539 version of the database.

Anyway, I changed the clamav engine so I don't know if this
database solves everything.

Saludos
Leo

On Tue, Oct 19, 2004 at 11:12:13AM -0400, DNSAdmin wrote:
> Hello All,
>
> This morning I have two "regular" senders, one which on my servers, another
> from outside who regularly sends to a user on our servers. They've both
> sent multiple JPeG files (which is an unusual occurrence) and they all are
> tagged by ClamAV as:
>
>     Report: ClamAV: image006.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image007.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image008.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image001.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image003.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image004.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: image005.jpg contains Exploit.JPEG.Comment.1
>
> AND:
>
>     Report: ClamAV: msg-9197-33.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-34.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-35.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-36.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-31.jpg contains Exploit.JPEG.Comment.1
>     Report: ClamAV: msg-9197-32.jpg contains Exploit.JPEG.Comment.1
>
> I've pulled them out of the Quarantine and scanned them locally with Norton
> AV (I just checked Live Update and I'm good). They test negative. Any idea
> what is going on here?
>
> Thanks,
> Glenn
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> http://www.sng.ecs.soton.ac.uk/mailscanner/
> Configuration by Glenn Parsons dnsadmin-at-1bigthink.com
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list