[clamav-users] unexplainable tar behaviour

Steffen Sledz sledz at dresearch-fe.de
Wed Oct 30 08:41:30 EDT 2019


On 30.10.19 13:03, G.W. Haywood via clamav-users wrote:
> I don't see what's confusing about this.
> 
> The match is just an expression.  It isn't magic.  You could do just
> the same thing from the command line for example with 'grep' although
> it might take a while and you might need to read up about expressions.
> Then you'll see that the word 'unexplainable' is incorrect.
> 
> The replies from Mr. Varnell and Mr. Jones both point you in the right
> direction, and Mr. Stern simply offered a methodical way of locating
> the matching pieces in what might be an unwieldy file.

Yes, but ...

> # split -b 80M all.tar all
> # ll
> total 445768
> -rw-r--r--  1 root root  83886080 30. Okt 07:57 allaa
> -rw-r--r--  1 root root  80998400 30. Okt 07:57 allab
> -rw-r--r--  1 root root 164884480 29. Okt 08:00 all.tar
> # clamdscan  -v --fdpass all*
> /root/clamcheck/allaa: OK
> /root/clamcheck/allab: OK
> /root/clamcheck/all.tar: Java.Trojan.Agent-36975 FOUND

So "the expression" matches in all.tar, but not in allaa and not in allab. Hmmm?

The expression could be partly in allaa and in allab. That's why I tried a different separation.

> # split -b 77M all.tar all
> # ll
> total 445768
> -rw-r--r--  1 root root  80740352 30. Okt 08:15 allaa
> -rw-r--r--  1 root root  80740352 30. Okt 08:15 allab
> -rw-r--r--  1 root root   3403776 30. Okt 08:15 allac
> -rw-r--r--  1 root root 164884480 29. Okt 08:00 all.tar
> # clamdscan  -v --fdpass all*
> /root/clamcheck/allaa: OK
> /root/clamcheck/allab: OK
> /root/clamcheck/allac: OK
> /root/clamcheck/all.tar: Java.Trojan.Agent-36975 FOUND

Here "the expression" matches in all.tar, but not in allaa, not in allab, and not in allac. Hmmm again?

For me this is confusing!

Regards,
Steffen


More information about the clamav-users mailing list