homepage Welcome to WebmasterWorld Guest from 54.227.146.68
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Webmaster Hardware
Forum Library, Charter, Moderator: open

Webmaster Hardware Forum

    
decompression bombs
how to get rid of?
surrealillusions




msg:3788999
 6:13 pm on Nov 18, 2008 (gmt 0)

Hi all,

Just ran scan of my system with avast, and its found some decompression bombs. After some research on google, i havent found much in the way of getting rid of them.

Ive booted in safe mode, ran the scan, but still wouldnt delete them.

They're apparently in thunderbirds mail folders, but yet they're not in there when i go to browse that folder. (i have folders to show hidden files and folders).

I'm on windoze xp (sp3).

 

kaled




msg:3789203
 10:23 pm on Nov 18, 2008 (gmt 0)

Windows doesn't display all files even when you instruct it to. For instance, desktop.ini is normally hidden from view irrespective of folder options, etc.

Check the folder properties - that will tell you the actual number of files and subfolders therein (I think). You can then count them manually and see if they tally (select-all is useful if the statusbar is visible). You can also select "properties" for the selected files and check the combined size against the size given in the folder properties. By deduction, that should tell you if the files really exist.

Kaled.

caribguy




msg:3789206
 10:30 pm on Nov 18, 2008 (gmt 0)

Try opening a command prompt and navigating to the directory. Do you see the files then?

surrealillusions




msg:3793703
 10:48 am on Nov 25, 2008 (gmt 0)

Tried both options, the cmd prompt way and folder properties (select all, as well as right click on folder) all show the same number of items and same size where these decompression bombs apparently are.

So...if they dont exist...then how come avast is picking them up?

:)

kaled




msg:3793725
 11:20 am on Nov 25, 2008 (gmt 0)

It sounds like a bug in Avast.

I've never used Avast or encountered a decompression bomb (I had to look it up) but my recommendation would be to ignore it for now.

Thunderbird compresses emails for storage so if they contain zipped files that's a second level of compression and if the zipped files contain other compressed files such as UPX-compressed exe files or even png image files (which use deflate) then that's a third level of compression. Attempts to scan inside all of that may well fail but it's possible even higher levels exist if you have self-extracting installers stored in there.

My guess is that the reported file name is that of a compressed file stored somewhere within a compressed mail folder.

Kaled.

surrealillusions




msg:3794602
 12:17 pm on Nov 26, 2008 (gmt 0)

ok..thanks

:)

kaled




msg:3794672
 2:39 pm on Nov 26, 2008 (gmt 0)

One final thought...

There is little point using real-time anti-virus detection and also scanning inside compressed folders. The operating system cannot execute files within compressed folders without first decompressing, saving and opening them. Real-time scanning will detect the virus, if there is one, when the file is opened (and before it is executed).

In other words, if the option exists to do so, switch off scanning within compressed folders for scheduled scans (but leave it on for manual scans, if possible). This may also mean that scheduled scans are completed much more quickly.

Kaled.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Webmaster Hardware
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved