How to dismantle a decompression bomb?

[Capitalist]

I am in a situation, where I need to write scripts for parsing log files, decompressing files to some strangely named folder under the /tmp folder and then check those archives marked as "decompression bomb" by the scanner and I really really would not like to do this myself.

 I know what a decompression bomb is, I am pretty sure I have a full control of the contents of the intentionally large files in the folders I am going to scan. I still need to scan the files, everything must be scanned in case there is something evil lurking in the dark corners of the file system. I also know, that my pretty current system can handle the load for doing this.

Is there any way to manually adjust the threshold where the scanner classifies files from the performance and file space point of view as hopeless to uncompress? I understand that this might spoil some excellent performance reviews for the software, but I need a virus scanner that decompresses the files and sees if there are any threats, before somebody else does that and finds it out in the hard way.

Also, It would help to find the exact definition of the limit, where the scanner throws the towel in.

Thank you mom for all the love, but this time think I can take care of myself.

[Radek Brich]

Hi, let me just make sure that I understand your problem: You want to allow scanning archives with large files, but they are reported as decompression bomb by the scanner. So you made a workaround where you extract the archives manually and call scan on the extracted contents.

Is that right?

We have some parameters in the scanning engine that could be adjusted, but I don't think it's currently possible in the Linux version of the Antivirus.
(Details about the parameters removed for now, we'll discuss internally.)

[Radek Brich]

Can you please share some more information about the problematic archives?

* How many files they contain, how large after extraction is each file.
* What message are you getting in the log file?

Ideally, a sample of a "bad" archive would help to decide what we can change / make configurable.

[Capitalist]

Yes, I am constructing a workaround, because the scanner stops trying to scan the files. I get "compressed file is too big to be processed" and "the file is a compression bomb" error messages.

The big files are often installation tars of free, common Linux programs related to programming or iso images of commercial software. They still need to be scanned, because everything must be scanned. For example, quite common Eclipse tar package can be well over 500 MB after decompression.

[Capitalist]

The most urgent problem is to improve the handling of large deb packages including large compressed files. I also wonder, if all the "corrupted" compressed packages really are corrupted after all.

[Radek Brich]

Thanks for the explanation. I think your use case is valid. We'll add some option to allow scanning large archives.

Regarding corrupted archives, do you have a sample of such archive, which is reported as corrupted but you think it really isn't?

[Radek Brich]

Hi, please check version 4.2.0 (released today), if it helps you.

There are additional [PACKER_BOMB] parameters in /etc/avast/avast.conf, documented in avast(1) man page.

The in-memory unpacking has inherent limits, so you may still need to unpack manually if the archive is very large. The unpacking limit can be configured to at most 4000 MB, and you need to have appropriate amount of RAM on the machine.