[clamav-users] unexplainable tar behaviour

2019-10-29 Thread Steffen Sledz
We've a really unexplainable behaviour related to clamdscan and tar. There's a tree of subdirs and files. If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'. If I tar all subdirs of the first level in separa

[clamav-users] unexplainable tar behaviour

2019-10-29 Thread Steffen Sledz
We've a really unexplainable behaviour related to clamdscan and tar. There's a tree of subdirs and files. If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'. If I tar all subdirs of the first level in separa

Re: [clamav-users] unexplainable tar behaviour

2019-10-29 Thread Al Varnell via clamav-users
All I can add to the discussion is a slightly obfuscated dump of the signature, which is in main.ndb and was added on Apr 13, 2016: > VIRUS NAME: Java.Trojan.Agent-36975 > TARGET TYPE: ANY FILE > OFFSET: * > DECODED SIGNATURE: > java*lang*String{WILDCARD_ANY_STRING}writeEmbeddedFile{WILDCARD_ANY_

Re: [clamav-users] unexplainable tar behaviour

2019-10-29 Thread Alan Stern
On Tue, 29 Oct 2019, Steffen Sledz wrote: > We've a really unexplainable behaviour related to clamdscan and tar. > > There's a tree of subdirs and files. > > If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' > an infected file is reported: 'Java.Trojan.Agent-36975 FOU

Re: [clamav-users] unexplainable tar behaviour

2019-10-29 Thread Noel Jones
On 10/29/2019 3:06 AM, Steffen Sledz wrote: We've a really unexplainable behaviour related to clamdscan and tar. There's a tree of subdirs and files. If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'. If

Re: [clamav-users] unexplainable tar behaviour

2019-10-29 Thread Paul Kosinski via clamav-users
I thought ClamAV unpacked TARs (and other archives) and looked at the contents. If it doesn't, it wouldn't be very effective in detecting viruses in compressed files. How big is your file? Since ClamAV doesn't like files bigger than 4 GB, if your file is bigger, I don't know for sure what happens.

Re: [clamav-users] unexplainable tar behaviour

2019-10-29 Thread Steffen Sledz
On 30.10.19 03:34, Paul Kosinski via clamav-users wrote: > How big is your file? Since ClamAV doesn't like files bigger than 4 GB, > if your file is bigger, I don't know for sure what happens. Maybe then > it doesn't really unpack the file, and thus might detect a "virus" in a > random subsequence