[clamav-users] unexplainable tar behaviour

Graeme Fowler G.E.Fowler at lboro.ac.uk
Wed Oct 30 08:52:56 EDT 2019


On 30/10/2019, 12:43, "clamav-users on behalf of Steffen Sledz" <clamav-users-bounces at lists.clamav.net on behalf of sledz at dresearch-fe.de> wrote:
> Here "the expression" matches in all.tar, but not in allaa, not in allab, and not in allac. Hmmm again?
>
> For me this is confusing!

If you look back at the response from Al Varnell, you'll see that the decoded signature has several parts, all joined together by wildcard matches.

It's quite plausible that the match is on the first few bytes, some bytes several megabytes later, some more bytes several megabytes later still, and then the last few bytes in the file.

If that's the case (and with a tar file that's reasonably plausible), then bisecting/dissecting your file means that the signature will never match. It will only match on the whole entire file.

There's a form here: https://www.clamav.net/reports/fp

...through which you can report false positives, but you will need to provide your file.

Graeme



More information about the clamav-users mailing list