Avast bypass not getting fixed ?

Just read a article on security.nl about malware which could bypass Avast if inside a special prepared compressed package.
Now Thierry Zoller states that Avast is not willing to fix this because it is a “very low priority issue”.
This is something I can’t believe. People buy your software to safe, make them safe. A leak must be fixed, always!

There is no leak, and no security issue.

Mr. Zoller is probably trying to make himself visible, so he is presenting this as a vulnerability - but he didn’t “discover” (or should I rather say “invent”?) anything else than… surprise, surprise… an undetected file (and a pretty stupid one, from an attacker’s point of view).

There are thousands of undetected malicious files out there, antivirus companies are adding the detections every day - and there is nothing special about this one (except that is has quite a limited audience, because to activate it, the user has to have a particular tool installed [WinRAR, probably, the report didn’t say], has to manually unpack the archive, ignore the “Corrupted archive” warning, manually rename the corrupted filename to an executable extension, and manually start it - and before all that, he/she has to deactivate the local resident antivirus protection, if any, otherwise the file is detected immediatelly).

Should any similarly crafted archive start to spread in the wild, our virus lab will simply add the detection and avast! starts to detect the whole file (just as with any other malware file).

When the next avast! program update is released, the ZIP unpacker will be slightly modified so that it unpacks even this kind of corrupted archives. But it’s just to save some work for our virus lab (for the highly unlikely case that such an archive would indeed appear in the wild); from the user’s security point of view, it won’t really change anything.

Btw, yes, this was a ZIP archive that Mr. Zoller sent; I really don’t know why he is talking about RAR on the mentioned page; I guess he should sort out the basics first.

One more thing: if the “expected” e-mail address (@avast.com) doesn’t work, I find it rather strange to send the info to a completely different domains instead (neither of the domains in the report belongs to us, they are some of avast! resellers).
Since Mr. Zoller has been in contact with us/me previously, I can’t believe he couldn’t find the corresponding e-mail addresses… so why send it to some 3rd party companies instead? Who knows…

Thanks for clearing this up. I already had read that it was not as simple as it looks.