What is a decompression bomb.

[DavidR]

It only scans the inbox as a single file during an on-demand scan when it only sees it as a single file.

For scanning inbound email it scans that email in the Internet Mail localhost proxy, before it gets to the inbox. So your issue with very large file size only happens during on-demand scans.

There are many that would recommend that you exclude these Thunderbird email database files as effectively if avast actually found anything in there, it wouldn't really be able to extract the infected email and may corrupt the file if it couldn't. This could result in loss of the remainder of emails contained in that file.

You should also consider regularly backing-up your email database files against any such eventuality, not just AV related.

[SarahL]

I use Avast! once a week, been clean for many weeks now.  Today two files are marked as decompression bombs.  They could not be moved to Chest or deleted by Avast.  I then tried Repair.  That gave me a nice message (successful) on the screen, but the report still said it was a problem.

C:\DocumentsandSettings\LocalSettings\ApplicationData\Mozilla\Firefox\Profiles\g5gu17hs.default\Cache\...\{gzip}

... is FC120747d01 for 1st file and
       BCA62344d01 for 2nd file.

I have used Mozilla Firefox for years, and get its updates regularly.  Why did this suddenly appear?  Should I do a boot scan?  Why does Mozilla suddenly have 2 files so large?  My knowledge of software innards is not good enough to know why a file in Profiles should be so large.

Thanks for any guidance.  Scary term, decompression bomb, even when explained.

Sarah

[DavidR]

The cache file/folder can be very large and that is all it means, nothing more nothing less. Exactly what has been covered in this topic.

You should a) periodically clear out the cache, b) restrict the size it can grow to.

[enkephalin07]

I'm just recovering from a virus, and avast reported a lot of these decompression bombs on my external drive afterward, all in files that have been on my drive for over a year and accessed periodically. What are the chances a virus could've slipped into one of the files in those archives? And what purpose would there be to making them decompression bombs; if the intent of a decompression bomb is to completely lock up system resources, would there be any CPU left for a virus to spread?

I've deleted some of these, but when I looked into a few I found that some, although large, are packed close to a 1:1 ratio -- so what the heck is the criteria for labeling an archive a decompression bomb?

[Lisandro]

If you read this thread, you'll see that decompression bomb is not a thing to worry that much.
It's always better send a file to Chest than direct deleting it.

[enkephalin07]

When it goes to the Chest, isn't it compressed into yet another format? What actions can I take on it then?

This decompression bomb detection sounds like a good idea, but it doesn't seem complete yet. Can't the end user have at scanned at their own discretion anyway? Should the other issues I brought up be ignored? -- ie: why would decompression bombs be considered a primary threat, and under which criteria is an archive identified as a decompression bomb?

[Lisandro]

When it goes to the Chest, isn't it compressed into yet another format? What actions can I take on it then?

It's encrypted. Outside of the Chest, the files are inert. You can copy, move, paste... you can't edit, open, etc.
Within Chest, you can scan the file, send it to Alwil for analysis, etc.

[sooners2win]

Just did my first scan with Avast home version. The first line in the "Results of last scan" is: "Unable to scan: The file is a decompression bomb" , this is for a file named COMMS1.cdb. I know what this file is and it is legit, or at least a file named that belongs where it is lol.
There are hundreds of files with ext cdb in the same area as this one, yet it is the only one with this error.
 
This is a Win XP pro machine and I have done the file compression to increase my drive capacity.
Can anyone tell me what a "decompression bomb" is?
Thank you in advance.

I have a file doing this as well, it is avi file (movie), so it is probly compressed. Think this is the prob?

Never mind, scanned the file by itself and scanned just fine.

[mariaBH]

And I have a file, called decompression bomb. It is C:\program files\Nero\Nero8\Nero backitup. I really don't understand anything of computers.Do you think that it might be sth dangerous?Thanx in advance.

[Lisandro]

And I have a file, called decompression bomb. It is C:\program files\Nero\Nero8\Nero backitup. I really don't understand anything of computers.Do you think that it might be sth dangerous?Thanx in advance.

No, it's not. Don't worry.
Decompression bomb is just something that unpacks to an unusually big amount of data even though it's rather small (i.e. has a high compression ratio, for example). It's nothing to worry about, you are just informed that avast! will not try to unpack the archive (you may not even know that it's an archive, but it seems like it is) because it may take VERY long to process.
(quoted from Igor: http://forum.avast.com/index.php?topic=15389.msg131213#msg131213)

[mariaBH]

Thanx very much .I have just noticed that in fact it is written C:\program files\nero\Nero8\Nero backitup\...\root.img. I didn't write it that way before(I missed root.img) but I guess it is the same?

[Lisandro]

But I guess it is the same?

Yes, it is.

[sysusr]

Hi all,

How is avast! able to identify decompression bombs? Does it attempt to extract the contents of an archive, then abort once the extracted contents reach some pre-determined "suspicious" size? Does it estimate the extracted size and compare it to the compressed size? If so, is it able to estimate the sizes of recursively compressed archives?

Thanks in advance!

[Lisandro]

I also have a question. I don't see this feature into avast5 GUI. Seems that is "hidden" as in avast4.
Am I right? Would people be able to configure the compression rates, the alerts, etc.?

[REDACTED]

Ok so I just did a scan today (Home edition 4.8 with thorough and archives enabled) and ended up with like 39 different 'unscanables' as such. Most of them said that it was due to them being compression bombs that they couldn't be scanned. I've read through this thread but was wondering if it is safe for these not to be scanned?