Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: timet on July 25, 2008, 08:01:30 PM

Title: Decompression Bomb - Anything to worry about?
Post by: timet on July 25, 2008, 08:01:30 PM
Just did a scan of my PC and for the most part all was found were old files archived/protected by Ad-Aware aside from 1 file.

(http://i36.tinypic.com/2mi2cte.png)
I tried extending the Name of File bar with no luck of showing the full path, i'm not quite sure if there's another log I could view to find out. Is this anything I should worry about? I did a bit of research on Decompression Bombs and other posters on the Avast! Forums have said they're nothing to worry about while on other sites people are convinced that they're malware you should remove. I'm pretty sure if it stays as it is I have nothing to worry about but i'm not quite sure if a virus may try to access it in the future.

Thanks in advance :)
Title: Re: Decompression Bomb - Anything to worry about?
Post by: Rick F on July 25, 2008, 08:33:57 PM
Here's a link where that was discussed:

http://forum.avast.com/index.php?topic=8943

Hope this helps.
Title: Re: Decompression Bomb - Anything to worry about?
Post by: timet on July 25, 2008, 08:36:26 PM
Yeah, I had found that thread and already read it but it doesn't seem like the guy came back to fully discuss the issue with igor. Also, the one I have is an entirely different file/most likely different location but i'm not sure if it changes the answer i'll get (that its nothing to worry about) or not.

Oh, and it was over 3 years ago :P
Title: Re: Decompression Bomb - Anything to worry about?
Post by: DavidR on July 25, 2008, 09:07:25 PM
I don't believe there was any need for any further discussion. His last question, "so should I be worried" and the answer was "No, I think the file is OK - just the compression ratio is unusually high." Now when that answer comes from one of the avast developers you can be reasonably sure it is correct.

Time in this instance doesn't change this response.

More importantly if it didn't answer all your questions or it isn't clear, what are your questions ?
Title: Re: Decompression Bomb - Anything to worry about?
Post by: timet on July 25, 2008, 09:12:15 PM
I don't believe there was any need for any further discussion. His last question, "so should I be worried" and the answer was "No, I think the file is OK - just the compression ratio is unusually high." Now when that answer comes from one of the avast developers you can be reasonably sure it is correct.

Time in this instance doesn't change this response.

More importantly if it didn't answer all your questions or it isn't clear, what are your questions ?

What I meant is that igor asked about the size of the file and the OP never replied, I wasn't sure if it was significant or not.
Title: Re: Decompression Bomb - Anything to worry about?
Post by: Lisandro on July 25, 2008, 09:22:37 PM
What I meant is that igor asked about the size of the file and the OP never replied, I wasn't sure if it was significant or not.
Decompression bomb is just something that unpacks to an unusually big amount of data even though it's rather small (i.e. has a high compression ratio, for example). It's nothing to worry about, you are just informed that avast! will not try to unpack the archive (you may not even know that it's an archive, but it seems like it is) because it may take VERY long to process.
(quoted from Igor: http://forum.avast.com/index.php?topic=15389.msg131213#msg131213)

But you can change values into avast4.ini file to configure how avast should work with these files. Click 'Settings' in my signature for more info  ;)
There is a section for decompression bombs there.
Title: Re: Decompression Bomb - Anything to worry about?
Post by: Azrael srl on July 26, 2008, 12:11:59 AM
I've encountered this many times, especially during downloading of Linux distributions. I remember a case a year ago in which a file from an openSUSE iso has been passed out with this message so i extracted it manually (2 MB) and decompressed it with 7-ZIP. The process took 5 minutes and the resulting folder was 178 MB, of course clean.
Use your judgement: if the origin of the file (or the file itself) looks dubious extract and decompress manually. Otherwise , no problem, ignore it.
Title: Re: Decompression Bomb - Anything to worry about?
Post by: timet on July 26, 2008, 03:35:39 AM
I've encountered this many times, especially during downloading of Linux distributions. I remember a case a year ago in which a file from an openSUSE iso has been passed out with this message so i extracted it manually (2 MB) and decompressed it with 7-ZIP. The process took 5 minutes and the resulting folder was 178 MB, of course clean.
Use your judgement: if the origin of the file (or the file itself) looks dubious extract and decompress manually. Otherwise , no problem, ignore it.

That's the thing, i'm not sure at all where it came from. It wasn't there last time I scanned with Avast (probably ~2-3 weeks ago, I need to do it more frequently; I generally scan with Spybot more often). The fact its in System Volume Information confuses/worries me a bit.
Title: Re: Decompression Bomb - Anything to worry about?
Post by: DavidR on July 26, 2008, 01:55:23 PM
There should be no need to worry about the location, if at some point the data1.dat was in a system folder and deleted then it is protected by the system restore function and saved in a restore point within the System Volume Information folder.

In the System Volume Information folder the restore points are inert unless you use system restore to go back to a point that would include that file, then it would be restored. Again, it would be inert as the .cab file is an archive and has to be extracted for anything inside to possibly be active. At the point of extraction, new files are effectively created and newly created files (depending on file type) will be scanned by avast's standard shield, so nothing to worry about in that regard either.

I would suggest you look at the size of the System Volume Information folder as unchecked it can grow enormous, I have seen them as large as 1.5GB and some restore points so old as to be pretty worthless. So if your system is running fins I would suggest a bit of housekeeping in the System Volume Information folder.

Create Clean Restore Point - Clear old Restore Points.

Now you are clear of infection and your system is running fine, create a clean System Restore point:
1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE

You now have a clean restore point, you should clear the old ones:
1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button
Title: Re: Decompression Bomb - Anything to worry about?
Post by: epp on July 26, 2008, 02:00:22 PM
The Linux version of Avast! actually described one such file, as this.  The file was an ISO image of a Linux distribution.

Title: Re: Decompression Bomb - Anything to worry about?
Post by: timet on July 27, 2008, 04:30:10 PM
There should be no need to worry about the location, if at some point the data1.dat was in a system folder and deleted then it is protected by the system restore function and saved in a restore point within the System Volume Information folder.

In the System Volume Information folder the restore points are inert unless you use system restore to go back to a point that would include that file, then it would be restored. Again, it would be inert as the .cab file is an archive and has to be extracted for anything inside to possibly be active. At the point of extraction, new files are effectively created and newly created files (depending on file type) will be scanned by avast's standard shield, so nothing to worry about in that regard either.

I would suggest you look at the size of the System Volume Information folder as unchecked it can grow enormous, I have seen them as large as 1.5GB and some restore points so old as to be pretty worthless. So if your system is running fins I would suggest a bit of housekeeping in the System Volume Information folder.

Create Clean Restore Point - Clear old Restore Points.

Now you are clear of infection and your system is running fine, create a clean System Restore point:
1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE

You now have a clean restore point, you should clear the old ones:
1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button

Thanks for the help!
Title: Re: Decompression Bomb - Anything to worry about?
Post by: DavidR on July 27, 2008, 05:23:24 PM
You're welcome.