[clamav-users] unexplainable tar behaviour

Al Varnell alvarnell at mac.com
Tue Oct 29 05:53:06 EDT 2019


All I can add to the discussion is a slightly obfuscated dump of the signature, which is in main.ndb and was added on Apr 13, 2016:

> VIRUS NAME: Java.Trojan.Agent-36975
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> java*lang*String{WILDCARD_ANY_STRING}writeEmbeddedFile{WILDCARD_ANY_STRING}LPORT{WILDCARD_ANY_STRING}LHOST

I substituted "*" for "/" in the signature in order to prevent this message from being detected in route.

-Al-

On Tue, Oct 29, 2019 at 01:06 AM, Steffen Sledz wrote:
> We've a really unexplainable behaviour related to clamdscan and tar.
> 
> There's a tree of subdirs and files.
> 
> If I tar the complete tree and scan it with 'clamdscan  -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
> 
> If I tar all subdirs of the first level in separate tars and scan them, all of them are reported OK. Same if I scan all files one by one.
> 
> So where's the infected file report is coming from? Any ideas?
> 
> Environment:
> 
> # lsb_release -a
> LSB Version:    n/a
> Distributor ID: openSUSE
> Description:    openSUSE Leap 15.1
> Release:        15.1
> Codename:       n/a
> # rpm -q -i clamav
> Name        : clamav
> Version     : 0.101.4
> Release     : lp151.205.1
> Architecture: x86_64
> Install Date: Mo 28 Okt 2019 16:03:42 CET
> Group       : Productivity/Security
> Size        : 2383988
> License     : GPL-2.0-only
> Signature   : RSA/SHA256, Fr 25 Okt 2019 16:59:46 CEST, Key ID 69d1b2aaee3d166a
> Source RPM  : clamav-0.101.4-lp151.205.1.src.rpm
> Build Date  : Fr 25 Okt 2019 16:59:23 CEST
> Build Host  : lamb53
> Relocations : (not relocatable)
> Vendor      : obs://build.opensuse.org/security <obs://build.opensuse.org/security>
> URL         : http://www.clamav.net <http://www.clamav.net/>
> Summary     : Antivirus Toolkit
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191029/6c876de1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3907 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191029/6c876de1/attachment.bin>


More information about the clamav-users mailing list