We've a really unexplainable behaviour related to clamdscan and tar.
There's a tree of subdirs and files.
If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an
infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
If I tar all subdirs of the first level in separa
We've a really unexplainable behaviour related to clamdscan and tar.
There's a tree of subdirs and files.
If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an
infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
If I tar all subdirs of the first level in separa
On 30.10.19 03:34, Paul Kosinski via clamav-users wrote:
> How big is your file? Since ClamAV doesn't like files bigger than 4 GB,
> if your file is bigger, I don't know for sure what happens. Maybe then
> it doesn't really unpack the file, and thus might detect a "virus" in a
> random subsequence
On 29.10.19 15:10, Alan Stern wrote:
> Try bisection...
That makes things even more confusing.
I have shared the tar twice with different ratios. But the individual parts are
all reported as clean.
# split -b 80M all.tar all
# ll
total 445768
-rw-r--r-- 1 root root 83886080 30. Okt 07:57 alla
On 30.10.19 13:03, G.W. Haywood via clamav-users wrote:
> I don't see what's confusing about this.
>
> The match is just an expression. It isn't magic. You could do just
> the same thing from the command line for example with 'grep' although
> it might take a while and you might need to read up
On 30.10.19 13:52, Graeme Fowler via clamav-users wrote:
> If you look back at the response from Al Varnell, you'll see that the decoded
> signature has several parts, all joined together by wildcard matches.
>
> It's quite plausible that the match is on the first few bytes, some bytes
> several
