Author Topic: [L] MacOS:OverT-A [Expl] (0) found, false positive ?  (Read 1536 times)

0 Members and 1 Guest are viewing this topic.

Offline Greggg

  • Newbie
  • *
  • Posts: 18
[L] MacOS:OverT-A [Expl] (0) found, false positive ?
« on: July 19, 2020, 08:18:12 PM »
Hello, I scanned my PC with avast and this was wound. I have windows 10.


* Avast Scan Report
* This file is generated automatically
*
* Scan name: Full Virus Scan
* Started on: Sunday, July 19, 2020 3:15:37 PM
* VPS: 200719-0, 07/19/2020
*

C:\Users\XXXXX\AppData\Local\yuzu\yuzu-windows-msvc\yuzu-windows-msvc-source-20200321-6614fb65a.tar.xz|>yuzu-windows-msvc-source-20200321-6614fb65a.tar|>yuzu-windows-msvc-source-20200321-6614fb65a\externals\libzip\libzip\regress\bigzero-zip.zip|>bigzero.zip|>bigzero [E] The file is a decompression bomb. (42110)
E:\XXXXX\Games\MMO\Glyph\Games\RIFT\Live\Assets\assets.003 [L] MacOS:OverT-A [Expl] (0)
E:\XXXXXX\Savyyyy gamy\AppData\Local\yuzu\yuzu-windows-msvc\yuzu-windows-msvc-source-20200321-6614fb65a.tar.xz|>yuzu-windows-msvc-source-20200321-6614fb65a.tar|>yuzu-windows-msvc-source-20200321-6614fb65a\externals\libzip\libzip\regress\bigzero-zip.zip|>bigzero.zip|>bigzero [E] The file is a decompression bomb. (42110)
Infected files: 1
Total files: 2449839
Total folders: 104746
Total size: 2.0 TB

Is this false positive please? Thanks

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87065
  • No support PMs thanks
Re: [L] MacOS:OverT-A [Expl] (0) found, false positive ?
« Reply #1 on: July 19, 2020, 09:50:09 PM »
1.  The file is a decompression bomb. - Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system.

The name (I feel) really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

These highly compressed files are generally 'archive' files which are inert, don't present an immediate risk until they are unpacked. If you happen to select 'All packers' in your on-demand scans then you are more likely to come across this type of thing. Personally it is a waste of time scanning 'all packers' and that is why it isn't enabled by default.

2.  The detection name - MacOS:OverT-A [Expl]
This would seem strange being on a Windows 10 installation.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Greggg

  • Newbie
  • *
  • Posts: 18
Re: [L] MacOS:OverT-A [Expl] (0) found, false positive ?
« Reply #2 on: July 19, 2020, 11:39:51 PM »
Thanks for reply.
So what about MacOS OverT-A thing that was reported? It was found inside Rift mmorpg game in Assets folder. Never received report like this before, not even in previous versions of Avast. It popped first time only today.
I dont even play that game anymore, it has been sitting on my hdd for year or more anyway.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87065
  • No support PMs thanks
Re: [L] MacOS:OverT-A [Expl] (0) found, false positive ?
« Reply #3 on: July 20, 2020, 01:05:54 AM »
I honestly don't know why, but the virus database could possibly have virus signatures which are cross platform.

So finding something like this in a highly compressed .tar file could happen.

When you do a scan, the default on-demand scans ordinarily wouldn't scan archive files (other than self-extracting files such as compressed .exe files).
So what scan did you run and did you make any changes to the default settings ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Greggg

  • Newbie
  • *
  • Posts: 18
Re: [L] MacOS:OverT-A [Expl] (0) found, false positive ?
« Reply #4 on: July 20, 2020, 02:40:43 AM »
Oh, so does that mean it is false positive?

I ran Full Virus Scan, but yeah, I turned every option on (changed the default settings), I like to make throughout scans of my PC.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87065
  • No support PMs thanks
Re: [L] MacOS:OverT-A [Expl] (0) found, false positive ?
« Reply #5 on: July 20, 2020, 03:06:35 AM »
It doesn't mean it is a false positive.  The alert in itself isn't what I would call serious "The file is a decompression bomb." I would say it's just damn old.

Based on what I said before, "This used to be a tactic long ago to swamp the system.", which with modern systems with better CPUs and larger Hard drives this is less likely to be an issue.

Selecting every option is I would say overkill, but that's me, there has to be a good reason to do this and your scan time would be greatly slowed.
.
With a resident (on-access) scanner the need for on-demand scans is much depreciated as new, opened, modified or moved, etc. would trigger the on-access scanner. For the most part on on-demand scans, dormant/inert files (.zip files, etc.) are being scanned, the other active files are going to be scanned by the resident shields when they are activated.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Greggg

  • Newbie
  • *
  • Posts: 18
Re: [L] MacOS:OverT-A [Expl] (0) found, false positive ?
« Reply #6 on: July 20, 2020, 03:12:20 AM »
Oh, I mean this one:
E:\XXXXX\Games\MMO\Glyph\Games\RIFT\Live\Assets\assets.003 [L] MacOS:OverT-A [Expl] (0)

If it is safe and what does it mean then?:)
Decompression bomb should be all right I think.
« Last Edit: July 20, 2020, 03:16:09 AM by Greggg »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87065
  • No support PMs thanks
Re: [L] MacOS:OverT-A [Expl] (0) found, false positive ?
« Reply #7 on: July 21, 2020, 02:53:42 AM »
Not being a gamer I have no idea what might be included in the file, nor can I say if it is safe.  If it has been mover to the virus chest you could  submitted 'Send for analysis' to avast.

If it were found to be safe, that would be considered a False Positive.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JanK

  • Avast team
  • Newbie
  • *
  • Posts: 9
Re: [L] MacOS:OverT-A [Expl] (0) found, false positive ?
« Reply #8 on: August 07, 2020, 10:02:24 AM »
Hi,
MacOS:OverT-A [Expl] was FP. Detection has been adjusted and will be fixed in the next update.