Looks like I got it.  I was unfamiliar with how to search through the ClamAV users archives but now I found a previous post suggesting to up the max-filesize and max-scansize.  Doing that worked for me.  It's just odd that a tarball that is extremely small, still needs these parameters set to work.


Thanks for the help! Problem appears to be resolved for me.

From: Hart, Steven A.
Sent: Monday, December 20, 2021 4:35:29 PM
To: ClamAV users ML
Subject: Re: [clamav-users] [EXT] Re: clamscan tar archive
 

I retract my retraction.


Original scan of test directory:

$ clamscan -ir test/
test/eicar.com: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8584449
Engine version: 0.103.4
Scanned directories: 1
Scanned files: 6
Infected files: 1
Data scanned: 0.63 MB
Data read: 333.32 MB (ratio 0.00:1)
Time: 10.682 sec (0 m 10 s)
Start Date: 2021:12:20 16:29:39
End Date:   2021:12:20 16:29:50

$ tar -cvf test.tar test/


$ tar -tvf test.tar | grep eicar
-rw-rw-r-- XXXXX/XXXXX        69 2021-12-06 10:18 test/eicar.com

$ clamscan -ir test.tar 

----------- SCAN SUMMARY -----------
Known viruses: 8584449
Engine version: 0.103.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 333.34 MB (ratio 0.00:1)
Time: 10.408 sec (0 m 10 s)
Start Date: 2021:12:20 16:32:07
End Date:   2021:12:20 16:32:17

This is on RHEL8.  If I do a simple tar of just the eicar.com file into a tar archive it detects on scanning the tar file.  The above sample test directory has 5 other simple files including the eicar.com file.

Thanks!

From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Hart, Steven A. via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, December 20, 2021 4:17:28 PM
To: ClamAV users ML
Cc: Hart, Steven A.
Subject: Re: [clamav-users] [EXT] Re: clamscan tar archive
 
APL external email warning: Verify sender clamav-users-bounces@lists.clamav.net before clicking links or attachments

 

And now it's working for me too.  Nice magic you have there! 


Problem solved.....I guess....so weird.


Thanks

From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Kris Deugau <kdeugau@vianet.ca>
Sent: Monday, December 20, 2021 4:09:26 PM
To: ClamAV users ML
Subject: [EXT] Re: [clamav-users] clamscan tar archive
 
APL external email warning: Verify sender clamav-users-bounces@lists.clamav.net before clicking links or attachments 

Hart, Steven A. via clamav-users wrote:
> Hello all,
>
>
> ClamAV documentation states that tar archives are supported.   I've
> created a small sample tar archive that includes an eicar sample. 
> Clamscan seems to only look at the tar archive as a single file and does
> not hit on the eicar sample within.   I've tried using the "-a" and
> "--scan-archive=yes" flags with no improvements.  I would appreciate
> advice as to if clamscan can actively scan tar archives directly.

WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package;  only Debian testing and unstable have 0.103.4 so far,
no sign of 0.104.)

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml