A fix to the archive bombing

I used to use trend micrro’s PC-Cillin Internet Security 2004.

It has an option.

http://www.cold-chaos.net/pcc/3.png

After 6 layers of a compressed archive, it gives up and tells you that it failed to scan it because the archive has too many layers.

This could easilly provide a fix, and would be awsome if it could be implimented into avast :slight_smile:

PS: Sorry if this was suggested before, if it was ignore me :stuck_out_tongue:

Holy god, that interface! Looks like my 3 year old drew it in paintbrush! =)

Theres two options I see for archive bombs. KAV engine based products somehow recognize them as “Mail Bombs” with Signatures. A couple other AV’s simply allow you to restrict the level of archive scanning down to a set amount of layers.

Restricting number of levels would certainly be a big step in the right direction, of course.

But am I way off base in guessing that, depending on the particular kind of archiving used, it quite possibly would take very few levels to create unmanageably large files and disk usage?

There’re many bombs, you can even modify one very easy: output file will not consist of zeroes but number ones → it would not be detect by a signature (or output file will 4 static repeated bytes, etc etc - :P).

A couple other AV's simply allow you to restrict the level of archive scanning down to a set amount of layers.
The bombs may be created in less than 6 layers, really.

We’ve already found the way how to recognize these bombs, but it will not be easy to implement :'(.

Well, you can set it to only scan up to one layer…

It’s not a solution: mail_attachment.zip\run_me.exe\run_me.exe - infected (2 layers: zip, upx exe file).

Once it detects the .exe is an archive it stops scanning anyway

The bomb archive may not contain a virus. It’s your turn now ;).

So? It still stops scanning it…doesn’t matter if it has a virus or not, it cancels the scan and pops up complaining that it had too many layers :stuck_out_tongue:

I have a bzip2 bomb (one-byte-content: 500bytes, complex-content: 50Kb) which unpack itself sth around 100GB in 2 layers :P; but yes, we could check decompressed size according to archive size among layers.

I think the last few exchanges on this topic have missed a fairly important point – a decompression bomb is a menace all by itself, whether or not it also happens to contain a virus.

The only antivirus capable last LONG (deep to high levles) or totally compression bomb (test on 3GB memory machine and 4GB swap and 10+GB temp) was polish MKS antivirus …