Re: [clamav-users] unexplainable tar behaviour

Tue, 29 Oct 2019 02:54:45 -0700 

All I can add to the discussion is a slightly obfuscated dump of the signature, 
which is in main.ndb and was added on Apr 13, 2016:

> VIRUS NAME: Java.Trojan.Agent-36975
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> java*lang*String{WILDCARD_ANY_STRING}writeEmbeddedFile{WILDCARD_ANY_STRING}LPORT{WILDCARD_ANY_STRING}LHOST

I substituted "*" for "/" in the signature in order to prevent this message 
from being detected in route.

-Al-

On Tue, Oct 29, 2019 at 01:06 AM, Steffen Sledz wrote:
> We've a really unexplainable behaviour related to clamdscan and tar.
> 
> There's a tree of subdirs and files.
> 
> If I tar the complete tree and scan it with 'clamdscan  -v --fdpass all.tar' 
> an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
> 
> If I tar all subdirs of the first level in separate tars and scan them, all 
> of them are reported OK. Same if I scan all files one by one.
> 
> So where's the infected file report is coming from? Any ideas?
> 
> Environment:
> 
> # lsb_release -a
> LSB Version:    n/a
> Distributor ID: openSUSE
> Description:    openSUSE Leap 15.1
> Release:        15.1
> Codename:       n/a
> # rpm -q -i clamav
> Name        : clamav
> Version     : 0.101.4
> Release     : lp151.205.1
> Architecture: x86_64
> Install Date: Mo 28 Okt 2019 16:03:42 CET
> Group       : Productivity/Security
> Size        : 2383988
> License     : GPL-2.0-only
> Signature   : RSA/SHA256, Fr 25 Okt 2019 16:59:46 CEST, Key ID 
> 69d1b2aaee3d166a
> Source RPM  : clamav-0.101.4-lp151.205.1.src.rpm
> Build Date  : Fr 25 Okt 2019 16:59:23 CEST
> Build Host  : lamb53
> Relocations : (not relocatable)
> Vendor      : obs://build.opensuse.org/security 
> <obs://build.opensuse.org/security>
> URL         : http://www.clamav.net <http://www.clamav.net/>
> Summary     : Antivirus Toolkit
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to