I thought ClamAV unpacked TARs (and other archives) and looked at the
contents. If it doesn't, it wouldn't be very effective in detecting
viruses in compressed files.
How big is your file? Since ClamAV doesn't like files bigger than 4 GB,
if your file is bigger, I don't know for sure what happens. Maybe then
it doesn't really unpack the file, and thus might detect a "virus" in a
random subsequence of bytes.
On Tue, 29 Oct 2019 09:45:16 -0500
Noel Jones <njo...@megan.vbhcs.org> wrote:
> On 10/29/2019 3:06 AM, Steffen Sledz wrote:
> > We've a really unexplainable behaviour related to clamdscan and tar.
> >
> > There's a tree of subdirs and files.
> >
> > If I tar the complete tree and scan it with 'clamdscan -v --fdpass
> > all.tar' an infected file is reported: 'Java.Trojan.Agent-36975
> > FOUND'.
> >
> > If I tar all subdirs of the first level in separate tars and scan
> > them, all of them are reported OK. Same if I scan all files one by
> > one.
> >
> > So where's the infected file report is coming from? Any ideas?
> >
>
>
> There is no virus. You're creating a false positive from scanning a
> large blob of data where the signature picks up random bits from
> different files.
>
> {random data}{part of signature}{random data}{other part of
> signature}...{repeat as needed}
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
