[clamav-users] unexplainable tar behaviour

Paul Kosinski clamav-users at iment.com
Tue Oct 29 22:34:06 EDT 2019


I thought ClamAV unpacked TARs (and other archives) and looked at the
contents. If it doesn't, it wouldn't be very effective in detecting
viruses in compressed files.

How big is your file? Since ClamAV doesn't like files bigger than 4 GB,
if your file is bigger, I don't know for sure what happens. Maybe then
it doesn't really unpack the file, and thus might detect a "virus" in a
random subsequence of bytes.


On Tue, 29 Oct 2019 09:45:16 -0500
Noel Jones <njones at megan.vbhcs.org> wrote:

> On 10/29/2019 3:06 AM, Steffen Sledz wrote:
> > We've a really unexplainable behaviour related to clamdscan and tar.
> > 
> > There's a tree of subdirs and files.
> > 
> > If I tar the complete tree and scan it with 'clamdscan  -v --fdpass
> > all.tar' an infected file is reported: 'Java.Trojan.Agent-36975
> > FOUND'.
> > 
> > If I tar all subdirs of the first level in separate tars and scan
> > them, all of them are reported OK. Same if I scan all files one by
> > one.
> > 
> > So where's the infected file report is coming from? Any ideas?
> > 
> 
> 
> There is no virus.  You're creating a false positive from scanning a 
> large blob of data where the signature picks up random bits from 
> different files.
> 
> {random data}{part of signature}{random data}{other part of 
> signature}...{repeat as needed}



More information about the clamav-users mailing list