homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Webmaster Hardware
Forum Library, Charter, Moderator: open

Webmaster Hardware Forum

decompression bombs
how to get rid of?

 6:13 pm on Nov 18, 2008 (gmt 0)

Hi all,

Just ran scan of my system with avast, and its found some decompression bombs. After some research on google, i havent found much in the way of getting rid of them.

Ive booted in safe mode, ran the scan, but still wouldnt delete them.

They're apparently in thunderbirds mail folders, but yet they're not in there when i go to browse that folder. (i have folders to show hidden files and folders).

I'm on windoze xp (sp3).



 10:23 pm on Nov 18, 2008 (gmt 0)

Windows doesn't display all files even when you instruct it to. For instance, desktop.ini is normally hidden from view irrespective of folder options, etc.

Check the folder properties - that will tell you the actual number of files and subfolders therein (I think). You can then count them manually and see if they tally (select-all is useful if the statusbar is visible). You can also select "properties" for the selected files and check the combined size against the size given in the folder properties. By deduction, that should tell you if the files really exist.



 10:30 pm on Nov 18, 2008 (gmt 0)

Try opening a command prompt and navigating to the directory. Do you see the files then?


 10:48 am on Nov 25, 2008 (gmt 0)

Tried both options, the cmd prompt way and folder properties (select all, as well as right click on folder) all show the same number of items and same size where these decompression bombs apparently are.

So...if they dont exist...then how come avast is picking them up?



 11:20 am on Nov 25, 2008 (gmt 0)

It sounds like a bug in Avast.

I've never used Avast or encountered a decompression bomb (I had to look it up) but my recommendation would be to ignore it for now.

Thunderbird compresses emails for storage so if they contain zipped files that's a second level of compression and if the zipped files contain other compressed files such as UPX-compressed exe files or even png image files (which use deflate) then that's a third level of compression. Attempts to scan inside all of that may well fail but it's possible even higher levels exist if you have self-extracting installers stored in there.

My guess is that the reported file name is that of a compressed file stored somewhere within a compressed mail folder.



 12:17 pm on Nov 26, 2008 (gmt 0)




 2:39 pm on Nov 26, 2008 (gmt 0)

One final thought...

There is little point using real-time anti-virus detection and also scanning inside compressed folders. The operating system cannot execute files within compressed folders without first decompressing, saving and opening them. Real-time scanning will detect the virus, if there is one, when the file is opened (and before it is executed).

In other words, if the option exists to do so, switch off scanning within compressed folders for scheduled scans (but leave it on for manual scans, if possible). This may also mean that scheduled scans are completed much more quickly.


Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Webmaster Hardware
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved