On 10/29/2019 3:06 AM, Steffen Sledz wrote:
We've a really unexplainable behaviour related to clamdscan and tar.
There's a tree of subdirs and files.
If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an
infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
If I tar all subdirs of the first level in separate tars and scan them, all of
them are reported OK. Same if I scan all files one by one.
So where's the infected file report is coming from? Any ideas?
There is no virus. You're creating a false positive from scanning a
large blob of data where the signature picks up random bits from
different files.
{random data}{part of signature}{random data}{other part of
signature}...{repeat as needed}
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
