On Tue, 29 Oct 2019, Steffen Sledz wrote: > We've a really unexplainable behaviour related to clamdscan and tar. > > There's a tree of subdirs and files. > > If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' > an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'. > > If I tar all subdirs of the first level in separate tars and scan them, all > of them are reported OK. Same if I scan all files one by one. > > So where's the infected file report is coming from? Any ideas?
Try bisection. Divide the tar file in half (roughly) and see which half triggers the detection in clamdscan. (If neither half does, split the file somewhere else, say the first 1/4 and last 3/4.) The two pieces won't be valid tar files any more, but that's okay since all you care about is whether the virus scanner objects. Keep doing this until you have a minimal file, that is, until removing anything from the beginning or end will cause clamdscan not to detect a problem. Then see what's in the file and compare it to the original files and directories in the tree. If you want, you can be a little more careful about how this is done. For instance, just remove parts from the end of the file until clamdscan says the file is okay. Then you'll know that the last piece you removed matches part of the signature. And the remaining initial segment of the file will still be a semi-valid tar archive, so you can list the contents and see what the final entry in the archive is. Then start removing parts from the front of the original file until clamdscan says the remainder is okay. You'll know that the part you removed matches the beginning of the signature. Take the part that you removed and have tar list its contents; the last entry will be where the signature starts. Alan Stern _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
