[clamav-users] unexplainable tar behaviour
Noel Jones
njones at megan.vbhcs.org
Tue Oct 29 14:45:16 UTC 2019
On 10/29/2019 3:06 AM, Steffen Sledz wrote:
> We've a really unexplainable behaviour related to clamdscan and tar.
>
> There's a tree of subdirs and files.
>
> If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.
>
> If I tar all subdirs of the first level in separate tars and scan them, all of them are reported OK. Same if I scan all files one by one.
>
> So where's the infected file report is coming from? Any ideas?
>
There is no virus. You're creating a false positive from scanning a
large blob of data where the signature picks up random bits from
different files.
{random data}{part of signature}{random data}{other part of
signature}...{repeat as needed}
More information about the clamav-users
mailing list