Author Topic: problem with decompression bomb  (Read 7113 times)

0 Members and 1 Guest are viewing this topic.

Offline ziffete

  • Newbie
  • *
  • Posts: 15
problem with decompression bomb
« on: October 27, 2004, 01:12:48 PM »
I've read on the forum that avast 4.5 has decompression bomb protection.
well, I have a small zip file (1.3 mb) that once decompressed is about 18 mb, and when it is scanned is is recognised as decompression bomb.
I think that 18 mb should not be a problem, after all it isn't 1 gb of data (I can attach the file if needed).

in any case, after I get the message "unable to scan" I click on "action" button and select scan. then avast is blocked doing nothing: no cpu is used, no file is read (according to filemon). after 5 minutes on a centrino 1.5 ghz nothing happened. maybe the process is hung, so I click "cancel" on the "processing results" dialog: nothing happens... I have to kill the process using task manager. I think that at least the "cancel button" should work.

thanks.



Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:problem with decompression bomb
« Reply #1 on: October 27, 2004, 02:27:46 PM »
well, I have a small zip file (1.3 mb) that once decompressed is about 18 mb, and when it is scanned is is recognised as decompression bomb.I think that 18 mb should not be a problem, after all it isn't 1 gb of data (I can attach the file if needed).

please send me the archive
thanks
« Last Edit: April 15, 2006, 01:30:35 PM by pk »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:problem with decompression bomb
« Reply #2 on: October 27, 2004, 08:12:16 PM »
pk, sorry the 'off-topic', I coldn't send you my files as the FTP server was always down... Can you send me an email with full details to upload that files? Thanks.
The best things in life are free.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:problem with decompression bomb
« Reply #3 on: October 28, 2004, 11:06:25 AM »
Fixed, wait for next build. Thanks.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:problem with decompression bomb
« Reply #4 on: October 28, 2004, 11:14:15 AM »
pk, sorry the 'off-topic', I coldn't send you my files as the FTP server was always down... Can you send me an email with full details to upload that files? Thanks.
I wrote you my ftp details within five minutes and nothing... and i was waiting so zealously :'(.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:problem with decompression bomb
« Reply #5 on: October 28, 2004, 11:14:54 AM »
Well 1,3MB into 18MB isn't really a decompression bomb.
I made a home one which was only 21KB in size and decompressed into 72MB using Deflate compression and a 5000x5000 24bit BMP image. This is a much higher difference in ratio. Sent it to mail server,but i'm not sure what suppose to happen when decompression bomb passes Internet Mail.
No tag on mail,no warning,nothing.
Visit my webpage Angry Sheep Blog

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:problem with decompression bomb
« Reply #6 on: October 28, 2004, 11:19:34 AM »
Well 1,3MB into 18MB isn't really a decompression bomb.
I made a home one which was only 21KB in size and decompressed into 72MB using Deflate compression and a 5000x5000 24bit BMP image. This is a much higher difference in ratio. Sent it to mail server,but i'm not sure what suppose to happen when decompression bomb passes Internet Mail.
No tag on mail,no warning,nothing.

Yes, i changed limits for decompression bombs (default ratio from 90% -> 98%, sure unpacked file size must exceed 10Mb), there're different values for SShield, Mail and on-demand scan, so if unpacked file size (in emails) exceed 30mb (including that ratio, or not) it's called 'mail bomb'.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11805
    • AVAST Software
Re:problem with decompression bomb
« Reply #7 on: October 28, 2004, 12:16:08 PM »
PK, there's a resource string for "mail bomb" somewhere? ???

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:problem with decompression bomb
« Reply #8 on: October 28, 2004, 12:18:46 PM »
It's an error code string in Base.dll.
BTW pk you should also tell Franta about this change so that he can implement it to the Linux ver. Thx.
« Last Edit: October 28, 2004, 12:19:26 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:problem with decompression bomb
« Reply #9 on: October 28, 2004, 02:13:40 PM »
http://forum.maxthon.com/forum/style_emoticons/default/ninja.gif[/img] and nothing... and i was waiting so zealously :'(.

Well, I can't login... worse, you send me few information. I'm stupid  ;D
Please, exactly what should I write in the ftp application:
Site:
Username:
Password:

 8)
The best things in life are free.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:problem with decompression bomb
« Reply #10 on: October 28, 2004, 02:19:11 PM »
i sent you an IM - or try it with build 498 if it's already fixed

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:problem with decompression bomb
« Reply #11 on: October 28, 2004, 09:53:34 PM »
i sent you an IM - or try it with build 498 if it's already fixed

I tried and can connect but the connection is not that good.
Vlk asked me for a dump file but I think it will be impossible to send 20Mb this way.
It will be faster in Czech if I took a plane with it in a CD  ;D
Well, I'm keep trying.

Vlk, today, again the CPU problem...  :'(
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:problem with decompression bomb
« Reply #12 on: October 29, 2004, 08:53:22 PM »
Use LZMA based compressor (www.7-zip.org). Those 20MB should be reduced to at least 5MB if not more.
Visit my webpage Angry Sheep Blog