[clamav-users] unexplainable tar behaviour
Steffen Sledz
sledz at dresearch-fe.de
Wed Oct 30 13:50:04 UTC 2019
On 30.10.19 13:52, Graeme Fowler via clamav-users wrote:
> If you look back at the response from Al Varnell, you'll see that the decoded signature has several parts, all joined together by wildcard matches.
>
> It's quite plausible that the match is on the first few bytes, some bytes several megabytes later, some more bytes several megabytes later still, and then the last few bytes in the file.
>
> If that's the case (and with a tar file that's reasonably plausible), then bisecting/dissecting your file means that the signature will never match. It will only match on the whole entire file.
Thank you very much for the explanation. Now I got it. ;-)
More information about the clamav-users
mailing list