[clamav-users] unexplainable tar behaviour

Noel Jones njones at megan.vbhcs.org
Tue Oct 29 10:45:16 EDT 2019

On 10/29/2019 3:06 AM, Steffen Sledz wrote:
> We've a really unexplainable behaviour related to clamdscan and tar.
> There's a tree of subdirs and files.
> If I tar the complete tree and scan it with 'clamdscan  -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
> If I tar all subdirs of the first level in separate tars and scan them, all of them are reported OK. Same if I scan all files one by one.
> So where's the infected file report is coming from? Any ideas?

There is no virus.  You're creating a false positive from scanning a 
large blob of data where the signature picks up random bits from 
different files.

{random data}{part of signature}{random data}{other part of 
signature}...{repeat as needed}

More information about the clamav-users mailing list