Am 30.10.19 um 03:34 schrieb Paul Kosinski via clamav-users:
> I thought ClamAV unpacked TARs (and other archives) and looked at the
> contents. If it doesn't, it wouldn't be very effective in detecting
> viruses in compressed files.
Yes it does, but IIUC it matches signatures not only to the extr
Yessir, it does indeed scan the raw file and if nothing is found (or you're
running in allmatch mode) it will decompress the archive and scan the files
within. ClamAV has a default archive recursion depth of 16, so it will go
pretty deep.
I don’t think it's been explicitly stated yet, tar fi
Hi there,
On Thu, 31 Oct 2019, J.R. via clamav-users wrote:
Is ClamAV scanning the archive as-is, then additionally (hopefully)
decompressing it and scanning individual files?
man clamd.conf (search for 'ScanArchive')
Is there a way to debug with more info to see exactly what is going
on wi
> I thought ClamAV unpacked TARs (and other archives) and looked at the
> contents. If it doesn't, it wouldn't be very effective in detecting
> viruses in compressed files.
I've been wondering about this too during this particular discussion.
Is ClamAV scanning the archive as-is, then additionally
On 30.10.19 13:52, Graeme Fowler via clamav-users wrote:
> If you look back at the response from Al Varnell, you'll see that the decoded
> signature has several parts, all joined together by wildcard matches.
>
> It's quite plausible that the match is on the first few bytes, some bytes
> several
On 30/10/2019, 12:43, "clamav-users on behalf of Steffen Sledz"
wrote:
> Here "the expression" matches in all.tar, but not in allaa, not in allab, and
> not in allac. Hmmm again?
>
> For me this is confusing!
If you look back at the response from Al Varnell, you'll see that the decoded
signat
On 30.10.19 13:03, G.W. Haywood via clamav-users wrote:
> I don't see what's confusing about this.
>
> The match is just an expression. It isn't magic. You could do just
> the same thing from the command line for example with 'grep' although
> it might take a while and you might need to read up
Hi there,
On Wed, 30 Oct 2019, Steffen Sledz wrote:
On 29.10.19 15:10, Alan Stern wrote:
Try bisection...
That makes things even more confusing.
I don't see what's confusing about this.
The match is just an expression. It isn't magic. You could do just
the same thing from the command lin
On 29.10.19 15:10, Alan Stern wrote:
> Try bisection...
That makes things even more confusing.
I have shared the tar twice with different ratios. But the individual parts are
all reported as clean.
# split -b 80M all.tar all
# ll
total 445768
-rw-r--r-- 1 root root 83886080 30. Okt 07:57 alla
On 30.10.19 03:34, Paul Kosinski via clamav-users wrote:
> How big is your file? Since ClamAV doesn't like files bigger than 4 GB,
> if your file is bigger, I don't know for sure what happens. Maybe then
> it doesn't really unpack the file, and thus might detect a "virus" in a
> random subsequence
I thought ClamAV unpacked TARs (and other archives) and looked at the
contents. If it doesn't, it wouldn't be very effective in detecting
viruses in compressed files.
How big is your file? Since ClamAV doesn't like files bigger than 4 GB,
if your file is bigger, I don't know for sure what happens.
On 10/29/2019 3:06 AM, Steffen Sledz wrote:
We've a really unexplainable behaviour related to clamdscan and tar.
There's a tree of subdirs and files.
If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an
infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
If
On Tue, 29 Oct 2019, Steffen Sledz wrote:
> We've a really unexplainable behaviour related to clamdscan and tar.
>
> There's a tree of subdirs and files.
>
> If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar'
> an infected file is reported: 'Java.Trojan.Agent-36975 FOU
All I can add to the discussion is a slightly obfuscated dump of the signature,
which is in main.ndb and was added on Apr 13, 2016:
> VIRUS NAME: Java.Trojan.Agent-36975
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> java*lang*String{WILDCARD_ANY_STRING}writeEmbeddedFile{WILDCARD_ANY_
14 matches
Mail list logo
