[clamav-users] unexplainable tar behaviour

[Steffen Sledz]

On 30.10.19 13:03, G.W. Haywood via clamav-users wrote:
> I don't see what's confusing about this.
> 
> The match is just an expression.  It isn't magic.  You could do just
> the same thing from the command line for example with 'grep' although
> it might take a while and you might need to read up about expressions.
> Then you'll see that the word 'unexplainable' is incorrect.
> 
> The replies from Mr. Varnell and Mr. Jones both point you in the right
> direction, and Mr. Stern simply offered a methodical way of locating
> the matching pieces in what might be an unwieldy file.

Yes, but ...

> # split -b 80M all.tar all
> # ll
> total 445768
> -rw-r--r--  1 root root  83886080 30. Okt 07:57 allaa
> -rw-r--r--  1 root root  80998400 30. Okt 07:57 allab
> -rw-r--r--  1 root root 164884480 29. Okt 08:00 all.tar
> # clamdscan  -v --fdpass all*
> /root/clamcheck/allaa: OK
> /root/clamcheck/allab: OK
> /root/clamcheck/all.tar: Java.Trojan.Agent-36975 FOUND

So "the expression" matches in all.tar, but not in allaa and not in allab. Hmmm?

The expression could be partly in allaa and in allab. That's why I tried a different separation.

> # split -b 77M all.tar all
> # ll
> total 445768
> -rw-r--r--  1 root root  80740352 30. Okt 08:15 allaa
> -rw-r--r--  1 root root  80740352 30. Okt 08:15 allab
> -rw-r--r--  1 root root   3403776 30. Okt 08:15 allac
> -rw-r--r--  1 root root 164884480 29. Okt 08:00 all.tar
> # clamdscan  -v --fdpass all*
> /root/clamcheck/allaa: OK
> /root/clamcheck/allab: OK
> /root/clamcheck/allac: OK
> /root/clamcheck/all.tar: Java.Trojan.Agent-36975 FOUND

Here "the expression" matches in all.tar, but not in allaa, not in allab, and not in allac. Hmmm again?

For me this is confusing!

Regards,
Steffen