ClamScan reports max-width.gif to be infected with BC.Gif.Exploit.Agent-1425366.Agent
Reproduces: always
Steps to reproduce:
git clone https://github.com/GNOME/gdk-pixbuf.git
clamscan --infected --recursive gdk-pixbuf/
- report would then look like:
gdk-pixbuf/tests/test-images/gif-test-suite/max-width.gif: BC.Gif.Exploit.Agent-1425366.Agent FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6698996
Engine version: 0.98.4
Scanned directories: 33
Scanned files: 672
Infected files: 1
Data scanned: 31.93 MB
Data read: 172.54 MB (ratio 0.19:1)
Time: 44.196 sec (0 m 44 s)
This is most likely a false positive as no other antivirus engine reports this file to be infected.
There are a few reports on the Internet which mention gdk-pixbuf and the detection in question: 1, 2, 3, but none of them seem to explain why that happens. Here someone claims this file (detected as malicious) was intentionally added, but there's no rationale for why it has to be like that. I get that the image has to be wide. What I don't understand is why it triggers a detection.
Is it possible to investigate the issue?
I also believe it would be nice to have an explanation published for others who are also lurking. Or maybe the file can be somehow modified to stop triggering detection if it is harmless indeed. Without ruining the test suite of course.