Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: c0Ld on June 18, 2004, 01:13:18 AM
-
I used to use trend micrro's PC-Cillin Internet Security 2004.
It has an option.
(http://www.cold-chaos.net/pcc/3.png)
After 6 layers of a compressed archive, it gives up and tells you that it failed to scan it because the archive has too many layers.
This could easilly provide a fix, and would be awsome if it could be implimented into avast :)
PS: Sorry if this was suggested before, if it was ignore me :P
-
Holy god, that interface! Looks like my 3 year old drew it in paintbrush! =)
Theres two options I see for archive bombs. KAV engine based products somehow recognize them as "Mail Bombs" with Signatures. A couple other AV's simply allow you to restrict the level of archive scanning down to a set amount of layers.
-
Restricting number of levels would certainly be a big step in the right direction, of course.
But am I way off base in guessing that, depending on the particular kind of archiving used, it quite possibly would take very few levels to create unmanageably large files and disk usage?
-
KAV engine based products somehow recognize them as "Mail Bombs" with Signatures.
There're many bombs, you can even modify one very easy: output file will not consist of zeroes but number ones -> it would not be detect by a signature (or output file will 4 static repeated bytes, etc etc - :P).
A couple other AV's simply allow you to restrict the level of archive scanning down to a set amount of layers.
The bombs may be created in less than 6 layers, really.
We've already found the way how to recognize these bombs, but it will not be easy to implement :'(.
-
Well, you can set it to only scan up to one layer....
-
Well, you can set it to only scan up to one layer....
It's not a solution: mail_attachment.zip\run_me.exe\run_me.exe - infected (2 layers: zip, upx exe file).
-
Once it detects the .exe is an archive it stops scanning anyway
-
Once it detects the .exe is an archive it stops scanning anyway
The bomb archive may not contain a virus. It's your turn now ;).
-
So? It still stops scanning it...doesn't matter if it has a virus or not, it cancels the scan and pops up complaining that it had too many layers :P
-
So? It still stops scanning it...doesn't matter if it has a virus or not, it cancels the scan and pops up complaining that it had too many layers :P
I have a bzip2 bomb (one-byte-content: 500bytes, complex-content: 50Kb) which unpack itself sth around 100GB in 2 layers :P; but yes, we could check decompressed size according to archive size among layers.
-
I think the last few exchanges on this topic have missed a fairly important point -- a decompression bomb is a menace all by itself, whether or not it also happens to contain a virus.
-
The only antivirus capable last LONG (deep to high levles) or totally compression bomb (test on 3GB memory machine and 4GB swap and 10+GB temp) was polish MKS antivirus ...