Holy god, that interface! Looks like my 3 year old drew it in paintbrush! =)
Theres two options I see for archive bombs. KAV engine based products somehow recognize them as “Mail Bombs” with Signatures. A couple other AV’s simply allow you to restrict the level of archive scanning down to a set amount of layers.
Restricting number of levels would certainly be a big step in the right direction, of course.
But am I way off base in guessing that, depending on the particular kind of archiving used, it quite possibly would take very few levels to create unmanageably large files and disk usage?
There’re many bombs, you can even modify one very easy: output file will not consist of zeroes but number ones → it would not be detect by a signature (or output file will 4 static repeated bytes, etc etc - :P).
A couple other AV's simply allow you to restrict the level of archive scanning down to a set amount of layers.
The bombs may be created in less than 6 layers, really.
We’ve already found the way how to recognize these bombs, but it will not be easy to implement :'(.
I have a bzip2 bomb (one-byte-content: 500bytes, complex-content: 50Kb) which unpack itself sth around 100GB in 2 layers :P; but yes, we could check decompressed size according to archive size among layers.
I think the last few exchanges on this topic have missed a fairly important point – a decompression bomb is a menace all by itself, whether or not it also happens to contain a virus.
The only antivirus capable last LONG (deep to high levles) or totally compression bomb (test on 3GB memory machine and 4GB swap and 10+GB temp) was polish MKS antivirus …