Author Topic: Different decompression bombs found in different virus scans  (Read 948 times)

0 Members and 1 Guest are viewing this topic.

Offline Dinobot2

  • Sr. Member
  • ****
  • Posts: 351
Different decompression bombs found in different virus scans
« on: October 07, 2023, 08:11:19 PM »
Ok, another potentially long post, so please bear with me here if you're interested in reading

Over the last week or so I noticed that my Custom C drive scan and even a Full scan showed the message "We were unable to scan some files but no threats found" or something. After uninstalling and reinstalling Avast a couple of times over the last week, My scheduled C drive scan came up again with the same message. So, I looked at the scan log and found this in the scan log

Quote
C:\Users\User\AppData\Local\messenger-updater\pending\update.exe|>$R5\Uninstall Messenger.exe|>$PLUGINSDIR\nsProcess.dll [E] Error 0x0000A47E (42110)
C:\Users\User\AppData\Local\messenger-updater\pending\update.exe|>$R5\Uninstall Messenger.exe|>$PLUGINSDIR\nsExec.dll [E] Error 0x0000A47E (42110)
C:\Users\User\AppData\Local\messenger-updater\pending\update.exe|>$R5\Uninstall Messenger.exe|>$PLUGINSDIR\WinShell.dll [E] Error 0x0000A47E (42110)
C:\Users\User\AppData\Local\messenger-updater\installer.exe|>$R5\Uninstall Messenger.exe|>$PLUGINSDIR\nsProcess.dll [E] Error 0x0000A47E (42110)
C:\Users\User\AppData\Local\messenger-updater\installer.exe|>$R5\Uninstall Messenger.exe|>$PLUGINSDIR\nsExec.dll [E] Error 0x0000A47E (42110)
C:\Users\User\AppData\Local\messenger-updater\installer.exe|>$R5\Uninstall Messenger.exe|>$PLUGINSDIR\WinShell.dll [E] Error 0x0000A47E (42110)
C:\Users\User\AppData\Local\Spotify\Data\61\61942817862b32418f523e9864184608c3678904.file|>°¦o£#pW#E`åä¼P*à x¦Q(¦u|¤-¦Eae-8nG=·¦èÿÑ{ê6[+,5m»GGEæºì¦¦af«xåNX1äü+£eÇ+üä¦ñ9+)+¼û-K¦É7xtî3 [E] Error 0x0000A47E (42110)
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\8cbb992fe0cd9ef960e69a214646bd270516a23e\0377c85a-68b1-497a-ac07-099d6d72049a\855af346e790b114_0 [E] The system cannot find the path specified (3)
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\8cbb992fe0cd9ef960e69a214646bd270516a23e\0377c85a-68b1-497a-ac07-099d6d72049a\1c988803d951f3d3_0 [E] The system cannot find the path specified (3)
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\8cbb992fe0cd9ef960e69a214646bd270516a23e\f0719b5a-9b0e-482d-a399-8991307c3bd0\55c0cf2ac8b38053_0 [E] The system cannot find the path specified (3)
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\8cbb992fe0cd9ef960e69a214646bd270516a23e\6e47d9c3-05d6-4247-bdc9-17bca9b0d5ac\9a5a1f19522369f9_0 [E] The system cannot find the path specified (3)
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\8cbb992fe0cd9ef960e69a214646bd270516a23e\0377c85a-68b1-497a-ac07-099d6d72049a\5ae03f3d1bc3151d_0 [E] The system cannot find the path specified (3)
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\8cbb992fe0cd9ef960e69a214646bd270516a23e\6e47d9c3-05d6-4247-bdc9-17bca9b0d5ac\c144ca4e9e4c5ad0_0 [E] The system cannot find the path specified (3)
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\8cbb992fe0cd9ef960e69a214646bd270516a23e\6e47d9c3-05d6-4247-bdc9-17bca9b0d5ac\ecee1078b301da8f_0 [E] The system cannot find the path specified (3)

The "System cannot find the path specified" errors i'm not too concerned about as my slightly educated guess is that those were temp files that were established at the start of the scan and then cleared out during the scan and thus Avast couldn't find. The first seven though are what I was curious about. I googled that error code and found that it denotes a decompression bomb. There are plenty of posts online, including many on this forum, that basically say it could be dangerous if they're unpacked but a lot of the time they're a relative nuisance and won't be an issue.

To be sure, I scanned that Spotify subfolder to make sure it would be picked up again, and it was. But when I went to the above file paths, the specific files weren't there. Under the messenger-updater folder, the "Uninstall Messenger.exe" file wasn't there, even with hidden folders and files on in the file explorer settings. The path basically ended at update.exe and installer.exe in both cases, respectively.

I scanned those folders as well with Malwarebytes and it didn't find anything.

So, I delete the messenger-updater folder as this is regarding Facebook messenger that I don't have on my PC anymore (I downloaded it briefly before uninstalling it maybe a couple of years ago) and thus didn't need 'em anymore, and then I uninstalled Spotify which got rid of Spotify folder in AppData. Restarted my computer and did another C drive scan. That produced the same "Some files couldn't be scanned" error. I look at the log and see these

Quote
C:\Users\User\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f47de834-d8d9-4232-8ac4-de3947b81b49}\0.0.filtertrie.intermediate.txt [E] The system cannot find the path specified (3)
C:\Users\User\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f47de834-d8d9-4232-8ac4-de3947b81b49}\Apps.ft [E] The system cannot find the path specified (3)
C:\Users\User\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f47de834-d8d9-4232-8ac4-de3947b81b49}\Apps.index [E] The system cannot find the path specified (3)
C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe [E] The system cannot find the path specified (3)

The same "System cannot find the path specified" on files that may have been cleared out, although the "AM_Delta.exe" file not being found is curious but I digress.

This morning, I decide to run the scan again, but before I do the DISM.exe Restore Health and sfc /scannow commands to make sure there are no corrupted system files that could be causing any errors. Then, I run the same scan a third time just now. I get the same "Files can't be scanned" from Avast, check the logs, and it's different again, but with a worrying addition

Quote
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100702\7ac24f04-340f-45ab-a09e-835d9a7eb49e.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100701\f8b685ce-e489-4a1c-90d3-a4595eb38a92.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100621\14fd8ba6-5e93-4622-a34a-6b7907b3454e.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100623\a404eac6-0648-43a0-bb34-4779f162f4aa.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100620\923e0480-7d65-4918-bddc-415b55af3881.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100700\4216bd34-9eea-4d40-b4d5-8597a12c3d5b.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100622\e7c12898-6907-49e6-87b4-c5c52492872f.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100706\4de6e893-ca5a-454a-bc4d-71a377aa8918.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100705\99edda7b-6586-47d4-955c-f5c849bf11af.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100619\298be701-da55-4008-8889-894a16293376.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100707\e64a37dc-456f-4f59-9650-b5d507841bf6.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100710\dad5b443-f7f0-4061-892b-3780ca8fddce.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100708\580727ee-4b78-4d38-9594-9c13c0f4238b.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100709\59b12f23-89be-482c-8582-1f1c360aaf30.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100704\cb47bf22-c71b-4616-a40e-fa15cf95d4f8.csv [E] The system cannot find the path specified (3)
C:\Windows\WinSxS\Temp\InFlight\b23a31762bf9d9012608000074047422\7d5631762bf9d9012708000074047422|>ext4.vhdx [E] Error 0x0000A47E (42110)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\SystemStateMonitor\2023100703\f114c95c-7414-4c1c-a625-d573f77f8011.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\PnPDriver\20231006\602c1649-b7fb-41d0-b469-e6ddf45f978d.csv [E] The system cannot find the path specified (3)
C:\ProgramData\HP\HP Touchpoint Analytics Client\Provider Data\PnPDevice\20231006\9677a1f5-91c5-4afb-910e-e5e4c4ca18a8.csv [E] The system cannot find the path specified (3)

So I get the error on a different folder this time. I know the WinSxS folder is where system files for backup and recoveries are stored. And the fact that it's in the Temp subfolder of WinSxS leads me to believe that at some point that file will no longer exist.

However, what's concerning is that this Decompression bomb error is flagging in different parts of my computer. So my mind immediately goes to consider whether I have a virus or some other thing that's moving around a Decompression bomb to various areas of my drive and that one day a program will attempt to open it and then my system is overloaded. The fact that less than two days ago it was in my Spotify folder also worries me as I use Spotify fairly regular on my laptop. I have also seen in several places, including here, that a Decompression bomb is harmless and Avast could be flagging these as false positives.

I sincerely thank anyone who read through this entire thing, but perhaps someone who did can provide more insight on this, if they're familiar with this kind of error and why it would be flagging?
« Last Edit: October 07, 2023, 08:23:05 PM by Dinobot2 »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88749
  • No support PMs thanks
Re: Different decompression bombs found in different virus scans
« Reply #1 on: October 07, 2023, 10:13:29 PM »
- Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system.

The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

These highly compressed files are generally 'archive' files which are inert, don't present an immediate risk until they are unpacked. If you happen to select 'All packers' in your on-demand scans then you are more likely to come across this type of thing. Personally it is a waste of time scanning 'all packers' and that is why it isn't enabled by default.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Dinobot2

  • Sr. Member
  • ****
  • Posts: 351
Re: Different decompression bombs found in different virus scans
« Reply #2 on: October 07, 2023, 10:31:13 PM »
- Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system.

The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

These highly compressed files are generally 'archive' files which are inert, don't present an immediate risk until they are unpacked. If you happen to select 'All packers' in your on-demand scans then you are more likely to come across this type of thing. Personally it is a waste of time scanning 'all packers' and that is why it isn't enabled by default.


Thanks for the info. So it seems like I'm at a relatively low risk of something bad happening. But then that still raises the previous question I brought up: What explains new ones being found in scans? The third scan I ran found one that didn't show up in the previous two scans. Is that because those are newly created files by Windows that are flagged as false positives by Avast?

Is there also a scenario where a zip bomb could become worth worrying about? What's the likelihood that an app comes across this and tries to access it and then damage is done?

I'm also a bit worried because decompression bombs can be used to attack antivirus software to make way for other malware.

I also don't know why Avast doesn't just label these as Malware and attempt to delete or quarantine them? It obviously recognizes it as a decompression bomb per the error code. Or is it because of the 'risk' of it being a false positive?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37467
  • Not a avast user
Re: Different decompression bombs found in different virus scans
« Reply #3 on: October 07, 2023, 10:46:15 PM »
Quote
Is there also a scenario where a zip bomb could become worth worrying about?
They are not in use anymore, never seen a real one, never seen any other then avast detect, and they are just highly compressed files and not real




Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88749
  • No support PMs thanks
Re: Different decompression bombs found in different virus scans
« Reply #4 on: October 07, 2023, 11:00:37 PM »
I'm still amazed after all of your previous issues that you are still doing on-demand scans.

- With a resident (on-access) scanner the need for on-demand scans is much depreciated. For the most part dormant/inert files are being scanned, the other active files are going to be scanned by the resident shields when they are activated.

Files have to be active before they actually present an active risk at that point they would have been scanned before an executable was able to run or files scanned when an archive file is unpacked.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Dinobot2

  • Sr. Member
  • ****
  • Posts: 351
Re: Different decompression bombs found in different virus scans
« Reply #5 on: October 07, 2023, 11:15:55 PM »
I'm still amazed after all of your previous issues that you are still doing on-demand scans.

- With a resident (on-access) scanner the need for on-demand scans is much depreciated. For the most part dormant/inert files are being scanned, the other active files are going to be scanned by the resident shields when they are activated.

Files have to be active before they actually present an active risk at that point they would have been scanned before an executable was able to run or files scanned when an archive file is unpacked.

I understand and respect that you don't use on-demand scans, but they're something that I still like to use in case something is missed. If Avast is going to offer on-demand scans, then I would like them to a.) work properly and b.) be able to be actioned on when something is found. Respectfully, just saying that you don't use them doesn't really address the issue at play here.

As far as the active risk, even if a file isn't active and is stored away, I don't want it on my computer if it's harmful. Like I said, there is the risk that one of the shields missed something. There's also the risk that a program I do use could activate a harmful file somehow; one was in my Spotify Data folder which is likely accessed regularly when Spotify is running.

With regards to these being archive files, I did notice that the file names in the report don't have archive file extensions like .zip, .rar. etc. I'm not sure if that's an indicator of anything though.
« Last Edit: October 07, 2023, 11:29:25 PM by Dinobot2 »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88749
  • No support PMs thanks
Re: Different decompression bombs found in different virus scans
« Reply #6 on: October 08, 2023, 03:04:11 AM »
If something is missed what makes you so sure it would be picked up with an on-demand scan.

But then again I have only been using Avast for 20 years.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Dinobot2

  • Sr. Member
  • ****
  • Posts: 351
Re: Different decompression bombs found in different virus scans
« Reply #7 on: October 08, 2023, 03:21:29 AM »
I don't know. Maybe something popped in after a restart while Avast is starting up. Maybe when I disabled my shields for 5 seconds to test that the Avast and Windows notifications were working properly, something made its way in (unlikely since I wasn't downloading any new files or loading any new websites in those 5 seconds, but still a technical possibility). Maybe the on-demand scanners, while not real time, are more detailed in searching for stuff.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37467
  • Not a avast user
Re: Different decompression bombs found in different virus scans
« Reply #8 on: October 08, 2023, 08:14:56 AM »
Quote
With regards to these being archive files, I did notice that the file names in the report don't have archive file extensions like .zip, .rar. etc. I'm not sure if that's an indicator of anything though.
List of archive formats  https://en.wikipedia.org/wiki/List_of_archive_formats



Offline Dinobot2

  • Sr. Member
  • ****
  • Posts: 351
Re: Different decompression bombs found in different virus scans
« Reply #9 on: October 08, 2023, 04:34:20 PM »
I know there are more archive formats than just .zip and .rar. I was using those as examples. But the files flagged in the scan report don't appear to be archive formats.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88749
  • No support PMs thanks
Re: Different decompression bombs found in different virus scans
« Reply #10 on: October 08, 2023, 08:18:03 PM »
It isn't clear which exactly which specific file format you are talking about.

If you are talking about the highlighted line than that could well be compressed.
From a google search:
Quote from: Extract
These VHDs use the ext4 file system type and are represented on your Windows hard drive as an ext4. vhdx file. WSL 2 automatically resizes these VHD files to meet storage needs. By default each VHD file used by WSL 2 is initially allocated a 1TB maximum amount of disk space (prior to WSL release 0.58.

There is nothing to stop you running the same search if it is a different file type type.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security