[clamav-users] unexplainable tar behaviour

Steffen Sledz sledz at dresearch-fe.de
Wed Oct 30 09:50:04 EDT 2019


On 30.10.19 13:52, Graeme Fowler via clamav-users wrote:
> If you look back at the response from Al Varnell, you'll see that the decoded signature has several parts, all joined together by wildcard matches.
> 
> It's quite plausible that the match is on the first few bytes, some bytes several megabytes later, some more bytes several megabytes later still, and then the last few bytes in the file.
> 
> If that's the case (and with a tar file that's reasonably plausible), then bisecting/dissecting your file means that the signature will never match. It will only match on the whole entire file.

Thank you very much for the explanation. Now I got it. ;-)


More information about the clamav-users mailing list