On 30/10/2019, 12:43, "clamav-users on behalf of Steffen Sledz" <clamav-users-boun...@lists.clamav.net on behalf of sl...@dresearch-fe.de> wrote: > Here "the expression" matches in all.tar, but not in allaa, not in allab, and > not in allac. Hmmm again? > > For me this is confusing!
If you look back at the response from Al Varnell, you'll see that the decoded signature has several parts, all joined together by wildcard matches. It's quite plausible that the match is on the first few bytes, some bytes several megabytes later, some more bytes several megabytes later still, and then the last few bytes in the file. If that's the case (and with a tar file that's reasonably plausible), then bisecting/dissecting your file means that the signature will never match. It will only match on the whole entire file. There's a form here: https://www.clamav.net/reports/fp ...through which you can report false positives, but you will need to provide your file. Graeme _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
