[clamav-users] unexplainable tar behaviour
stern at rowland.harvard.edu
Tue Oct 29 10:10:16 EDT 2019
On Tue, 29 Oct 2019, Steffen Sledz wrote:
> We've a really unexplainable behaviour related to clamdscan and tar.
> There's a tree of subdirs and files.
> If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
> If I tar all subdirs of the first level in separate tars and scan them, all of them are reported OK. Same if I scan all files one by one.
> So where's the infected file report is coming from? Any ideas?
Try bisection. Divide the tar file in half (roughly) and see which
half triggers the detection in clamdscan. (If neither half does, split
the file somewhere else, say the first 1/4 and last 3/4.) The two
pieces won't be valid tar files any more, but that's okay since all you
care about is whether the virus scanner objects.
Keep doing this until you have a minimal file, that is, until removing
anything from the beginning or end will cause clamdscan not to detect a
problem. Then see what's in the file and compare it to the original
files and directories in the tree.
If you want, you can be a little more careful about how this is done.
For instance, just remove parts from the end of the file until
clamdscan says the file is okay. Then you'll know that the last piece
you removed matches part of the signature. And the remaining initial
segment of the file will still be a semi-valid tar archive, so you can
list the contents and see what the final entry in the archive is.
Then start removing parts from the front of the original file until
clamdscan says the remainder is okay. You'll know that the part you
removed matches the beginning of the signature. Take the part that you
removed and have tar list its contents; the last entry will be where
the signature starts.
More information about the clamav-users