Author Topic: WebShield file scanning problem when at a message board  (Read 5243 times)

0 Members and 1 Guest are viewing this topic.

RJARRRPCGP

  • Guest
WebShield file scanning problem when at a message board
« on: May 25, 2005, 04:10:24 AM »
After surfing at EmuTalk.net, which is a web site that's trusted, the following messages are logged in the Avast event log:





It's also the same error code, which means a decompression bomb, according to one of you here. But, with me knowing that web site, I doubt that it's a decompression bomb!!!
« Last Edit: May 25, 2005, 04:17:07 AM by RJARRRPCGP »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WebShield file scanning problem when at a message board
« Reply #1 on: May 25, 2005, 08:21:41 AM »
There's no doubt this is a decompression bomb.

A decompression bomb can be a file thar is 100B compressed and 30KB uncompressed - this is also considered as a decompression bomb.
I admit that while technically correct, the file is not dangerous in any way and shouldn't be probably tagged as a "bomb".

Thanks Vlk
If at first you don't succeed, then skydiving's not for you.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: WebShield file scanning problem when at a message board
« Reply #2 on: May 25, 2005, 11:06:26 AM »
Vlk,

forgive me if I fail to understand your response on "decompression bombs"

I too get the same errors logged in my antivirus event log with the same error for perfectly innocent message forums that contain no reference to compressed files.  I also get it for seemingly innocent websites that one day log the error and the next day do not ... here is my most recent example.

What "compressed files" am I missing?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WebShield file scanning problem when at a message board
« Reply #3 on: May 25, 2005, 11:18:01 AM »
Some forum software (PHP-based) send contents in compressed format (namely, in the GZIP format). This is in accordance with the HTTP 1.1 standard.
WebShield is decompressing the data en route.

Some objects (such as uncompressed images with large areas of the same color) may look like a "decompression bomb" simply because their GZIP compression ratio is say 200:1.

Does that make sense?

I agree that avast probably shouldn't warn in such cases but it's not really simple to distinguish...

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: WebShield file scanning problem when at a message board
« Reply #4 on: May 25, 2005, 11:32:38 AM »
Sorry to persist.

While I confess not to understand the niceties of the php based GZIP format (nothing of which I see in the source of the web page faulted in my example) and I understand that you are saying that this probably should not be flagged ... my point was more to one of inconsistency. 

Why was it flagged as an error on 05/19 and why is not flagged today?  I doubt very much that the source of this page changed between these dates. 


Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WebShield file scanning problem when at a message board
« Reply #5 on: May 25, 2005, 11:39:59 AM »
...maybe because you now have version 4.6.665 that doesn't log these any more...?
If at first you don't succeed, then skydiving's not for you.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: WebShield file scanning problem when at a message board
« Reply #6 on: May 25, 2005, 11:41:55 AM »
That sounds emminently more reasonable.

Thanks.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WebShield file scanning problem when at a message board
« Reply #7 on: May 25, 2005, 11:44:06 AM »
But actually I'm not 100% sure about this (about the fact that 4.6.665 doesn't log them anymore).

In any case, they're more like informational logs that warnings, really.
No need to worry :)
If at first you don't succeed, then skydiving's not for you.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: WebShield file scanning problem when at a message board
« Reply #8 on: May 25, 2005, 11:50:10 AM »
I went back and typed in the (I wonder one one cannot copy from event log windows) urls for a couple of the message forums errors too and they displayed without any further event errors.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: WebShield file scanning problem when at a message board
« Reply #9 on: May 25, 2005, 11:55:11 AM »
Although my antivirus event log goes back to 01/14/2005 the a47e errors were only logged in the window 04/24 to 05/19.

RJARRRPCGP

  • Guest
Re: WebShield file scanning problem when at a message board
« Reply #10 on: May 25, 2005, 11:22:27 PM »
There's no doubt this is a decompression bomb.

A decompression bomb can be a file thar is 100B compressed and 30KB uncompressed - this is also considered as a decompression bomb.
I admit that while technically correct, the file is not dangerous in any way and shouldn't be probably tagged as a "bomb".

Thanks Vlk

I thought a decompression bomb was a malicious archive that uses the HDD until there's no more free space and thus designed to crash a PC when extracted.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: WebShield file scanning problem when at a message board
« Reply #11 on: May 26, 2005, 10:18:04 AM »
How big is yours .... is it as big as mine?

Let's admit that software providers like Avast have to strike a balance and decide on some decompression level or are you suggesting that error warnings should be specific to every user?   

RJARRRPCGP

  • Guest
Re: WebShield file scanning problem when at a message board
« Reply #12 on: May 27, 2005, 07:48:31 AM »
That's with 4.6.665!