Welcome to WebmasterWorld Guest from 54.166.236.238

Forum Moderators: open

Message Too Old, No Replies

decompression bombs

how to get rid of?

     
6:13 pm on Nov 18, 2008 (gmt 0)

Preferred Member

5+ Year Member

joined:Dec 10, 2007
posts:507
votes: 0


Hi all,

Just ran scan of my system with avast, and its found some decompression bombs. After some research on google, i havent found much in the way of getting rid of them.

Ive booted in safe mode, ran the scan, but still wouldnt delete them.

They're apparently in thunderbirds mail folders, but yet they're not in there when i go to browse that folder. (i have folders to show hidden files and folders).

I'm on windoze xp (sp3).

10:23 pm on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


Windows doesn't display all files even when you instruct it to. For instance, desktop.ini is normally hidden from view irrespective of folder options, etc.

Check the folder properties - that will tell you the actual number of files and subfolders therein (I think). You can then count them manually and see if they tally (select-all is useful if the statusbar is visible). You can also select "properties" for the selected files and check the combined size against the size given in the folder properties. By deduction, that should tell you if the files really exist.

Kaled.

10:30 pm on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 16, 2007
posts:846
votes: 0


Try opening a command prompt and navigating to the directory. Do you see the files then?
10:48 am on Nov 25, 2008 (gmt 0)

Preferred Member

5+ Year Member

joined:Dec 10, 2007
posts:507
votes: 0


Tried both options, the cmd prompt way and folder properties (select all, as well as right click on folder) all show the same number of items and same size where these decompression bombs apparently are.

So...if they dont exist...then how come avast is picking them up?

:)

11:20 am on Nov 25, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


It sounds like a bug in Avast.

I've never used Avast or encountered a decompression bomb (I had to look it up) but my recommendation would be to ignore it for now.

Thunderbird compresses emails for storage so if they contain zipped files that's a second level of compression and if the zipped files contain other compressed files such as UPX-compressed exe files or even png image files (which use deflate) then that's a third level of compression. Attempts to scan inside all of that may well fail but it's possible even higher levels exist if you have self-extracting installers stored in there.

My guess is that the reported file name is that of a compressed file stored somewhere within a compressed mail folder.

Kaled.

12:17 pm on Nov 26, 2008 (gmt 0)

Preferred Member

5+ Year Member

joined:Dec 10, 2007
posts:507
votes: 0


ok..thanks

:)

2:39 pm on Nov 26, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


One final thought...

There is little point using real-time anti-virus detection and also scanning inside compressed folders. The operating system cannot execute files within compressed folders without first decompressing, saving and opening them. Real-time scanning will detect the virus, if there is one, when the file is opened (and before it is executed).

In other words, if the option exists to do so, switch off scanning within compressed folders for scheduled scans (but leave it on for manual scans, if possible). This may also mean that scheduled scans are completed much more quickly.

Kaled.