Msg#: 3788997 posted 10:23 pm on Nov 18, 2008 (gmt 0)
Windows doesn't display all files even when you instruct it to. For instance, desktop.ini is normally hidden from view irrespective of folder options, etc.
Check the folder properties - that will tell you the actual number of files and subfolders therein (I think). You can then count them manually and see if they tally (select-all is useful if the statusbar is visible). You can also select "properties" for the selected files and check the combined size against the size given in the folder properties. By deduction, that should tell you if the files really exist.
Msg#: 3788997 posted 10:48 am on Nov 25, 2008 (gmt 0)
Tried both options, the cmd prompt way and folder properties (select all, as well as right click on folder) all show the same number of items and same size where these decompression bombs apparently are.
So...if they dont exist...then how come avast is picking them up?
Msg#: 3788997 posted 11:20 am on Nov 25, 2008 (gmt 0)
It sounds like a bug in Avast.
I've never used Avast or encountered a decompression bomb (I had to look it up) but my recommendation would be to ignore it for now.
Thunderbird compresses emails for storage so if they contain zipped files that's a second level of compression and if the zipped files contain other compressed files such as UPX-compressed exe files or even png image files (which use deflate) then that's a third level of compression. Attempts to scan inside all of that may well fail but it's possible even higher levels exist if you have self-extracting installers stored in there.
My guess is that the reported file name is that of a compressed file stored somewhere within a compressed mail folder.
Msg#: 3788997 posted 2:39 pm on Nov 26, 2008 (gmt 0)
One final thought...
There is little point using real-time anti-virus detection and also scanning inside compressed folders. The operating system cannot execute files within compressed folders without first decompressing, saving and opening them. Real-time scanning will detect the virus, if there is one, when the file is opened (and before it is executed).
In other words, if the option exists to do so, switch off scanning within compressed folders for scheduled scans (but leave it on for manual scans, if possible). This may also mean that scheduled scans are completed much more quickly.