[clamav-users] unexplainable tar behaviour

[Alan Stern]

On Tue, 29 Oct 2019, Steffen Sledz wrote:

> We've a really unexplainable behaviour related to clamdscan and tar.
> 
> There's a tree of subdirs and files.
> 
> If I tar the complete tree and scan it with 'clamdscan  -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
> 
> If I tar all subdirs of the first level in separate tars and scan them, all of them are reported OK. Same if I scan all files one by one.
> 
> So where's the infected file report is coming from? Any ideas?

Try bisection.  Divide the tar file in half (roughly) and see which 
half triggers the detection in clamdscan.  (If neither half does, split 
the file somewhere else, say the first 1/4 and last 3/4.)  The two 
pieces won't be valid tar files any more, but that's okay since all you 
care about is whether the virus scanner objects.

Keep doing this until you have a minimal file, that is, until removing
anything from the beginning or end will cause clamdscan not to detect a
problem.  Then see what's in the file and compare it to the original
files and directories in the tree.

If you want, you can be a little more careful about how this is done.  
For instance, just remove parts from the end of the file until 
clamdscan says the file is okay.  Then you'll know that the last piece 
you removed matches part of the signature.  And the remaining initial 
segment of the file will still be a semi-valid tar archive, so you can 
list the contents and see what the final entry in the archive is.

Then start removing parts from the front of the original file until 
clamdscan says the remainder is okay.  You'll know that the part you 
removed matches the beginning of the signature.  Take the part that you 
removed and have tar list its contents; the last entry will be where 
the signature starts.

Alan Stern