All I can add to the discussion is a slightly obfuscated dump of the signature, which is in main.ndb and was added on Apr 13, 2016:

VIRUS NAME: Java.Trojan.Agent-36975
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
java*lang*String{WILDCARD_ANY_STRING}writeEmbeddedFile{WILDCARD_ANY_STRING}LPORT{WILDCARD_ANY_STRING}LHOST

I substituted "*" for "/" in the signature in order to prevent this message from being detected in route.

-Al-

On Tue, Oct 29, 2019 at 01:06 AM, Steffen Sledz wrote:
We've a really unexplainable behaviour related to clamdscan and tar.

There's a tree of subdirs and files.

If I tar the complete tree and scan it with 'clamdscan  -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'.

If I tar all subdirs of the first level in separate tars and scan them, all of them are reported OK. Same if I scan all files one by one.

So where's the infected file report is coming from? Any ideas?

Environment:

# lsb_release -a
LSB Version:    n/a
Distributor ID: openSUSE
Description:    openSUSE Leap 15.1
Release:        15.1
Codename:       n/a
# rpm -q -i clamav
Name        : clamav
Version     : 0.101.4
Release     : lp151.205.1
Architecture: x86_64
Install Date: Mo 28 Okt 2019 16:03:42 CET
Group       : Productivity/Security
Size        : 2383988
License     : GPL-2.0-only
Signature   : RSA/SHA256, Fr 25 Okt 2019 16:59:46 CEST, Key ID 69d1b2aaee3d166a
Source RPM  : clamav-0.101.4-lp151.205.1.src.rpm
Build Date  : Fr 25 Okt 2019 16:59:23 CEST
Build Host  : lamb53
Relocations : (not relocatable)
Vendor      : obs://build.opensuse.org/security
URL         : http://www.clamav.net
Summary     : Antivirus Toolkit

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml