Error Avast 4.5.505 and Winrar

[Eddy]

I just discovered a "bug" with Avast 4.5.505 and Winrar (3.40 beta 4 registered)

- I created a plain rar file with 10 files in it. 9 are things that are detected by Avast as malware. 1 is a legitimate file and is not detected by Avast as being infected.
- I right click the rar file and choose scan.
- The first infection is detected.
- I tick "do not show this window again"
- I select delete
- On the next screen I again choose delete

Doing this everything goes well and at the end of the scan the rar only contains the 1 legitimate file.

Now I do exactly the same, except this time I use a rar file with 588 files in it from which one is not infected. When the scan is finished, they entire rarfile is gone. Even the legitimate one.

I did some more testing with different amounts of files in it. It turns out that 80 files in the archive is the turning point.

I hope this will be solved.

[Eddy]

Did some more testing. The same happens when I start Avast and do a manual scan of the folder I placed that rar file in. Settings thorough and archive scan enabled.

[RejZoR]

WinRAR 3.40 beta is outdated. Final release of 3.40 was already released long ago.

[igor]

Well, I think the problem doesn't have anything to do with the number of files. My guess is that one of the files is "stored" (i.e. archived without any compression) in the .RAR archive. This way, avast! scanner finds it both during the decompression of the archive, and also during the scanning of the "outer" file (because the stored file is clearly visible there - it would be detected even with archives turned off).
When found inside of the archive, only the corresponding file is deleted; when detected in the "envelope", however, the whole archive is deleted.

I'm just trying to improve the behavior somehow... but I'm afraid the problem is not 100% solvable. Changing the behavior one way will make another problem appear elsewhere. Regarding the actions on archives, there always will be situations when it doesn't work right, I'm afraid.

[.: Mac :.]

WinRAR 3.40 beta is outdated. Final release of 3.40 was already released long ago.

Actually 3.41 is out now too!

[Eddy]

Igor, I got about 700 malware samples here and tried it with different files. It was always that "magic" 80 files where it goes wrong.

I know there are newer version and I just tested them. The same thing happens.

I just can't found out if this is caused by Avast or Winrar. (or perhaps even the combination of the two of them.)

I don't think that it is likely someone would get into troubles because of this. Who will scan/have a archive with 80 or more malwares in it

[igor]

What happens when you scan the file with the archive scanning turned off? (scanning the whole file, though - e.g. using a thorough scan).

[Eddy]

Test conditions:
- Plain rar archive.
- 587 malwares (individually detected by Avast and other av's)
- 1 non infected file.
- Scanning the folder the archive is in. (it's the only file there)

Archive scanning off, thorough on:
First infected file in the rar is detected, entire archive is removed without scanning the rest.

Archive scanning off, standard scan on:
Nothing detected.

Archive scanning on, standard scan on:
First infected file in the rar is detected, scan resumes. 534 malwares are detected and correctly removed from the rar. Failed to detect 52 malwares which are detected with a thorough scan and archive scanning on.

[igor]

That confirms my theory. I'll did some improvement to the behavior (it will be included in the next update), but don't expect miracles from it.

[Eddy]

Well a miracle did happen

It is working perfectly with 4.5.518