I have seen lots of posts about avast finding trojans, etc. in Norton Ghost backups.
Can avast correctly read the backups? I think they are compressed and in a proprietary format (.v2i and .iv2i files).
If avast just reads the blocks in these files and looks for something of interest, isn’t avast essentially scanning garbage?
Indeed, these packers aren’t into the ones supported by avast. But I think avast scanners have a particular way to scan these files as any other proprietary format.
Generally, these backup files could be added to the exclusion lists.
I have Drive Image 7.1 which was bought out by Symantec and combined with Norton Ghost, it also uses the .v2i file format and avast has no problem in scanning that file and I haven’t had any false positive detections. But it doesn’t unpack it, so there might be an occasion where a highly compressed file type scanned in its raw state might throw up an anomaly and give a signature match.
Before I do my weekly Drive Image 7.1 image backup I run my avast scan and that ensures I have a clean state so my v2i image backup file should be clean. Because these files are very large so would take time to scan I exclude the location/partition/drive Folder where I store my last 5 image backups (F:\Drive-Images*.v2i) from scans. The * being a wildcard for the multiple file names.
By specifying the file type *.v2i you are reducing any possible security hole if you were to exclude the whole folder/drive that you store them.
Those two replies are not totally clear to me but. It’s my opinion that the only thing it makes sense to scan is the data, not some compressed or otherwise modified version of the data. To me, compression is a (admittedly simple) form of encryption. Looking at the encrypted data is a useless action and you can’t draw any conclusions about what the data actually is unless you know how to decrypt (i.e., decompress) it first.
So, why would anyone think there is validity to avast’s claim that a Ghost backup image contains a trojan or virus?
I assume that scanning, for example, ZIP files makes sense since avast could get to the unZIPped version of the data. Right?
It could be (most probably) a false positive.
But, look, avast should scan all files, regardless they are encrypted or compressed. At least to check if it is inert. If it does not do that, how could it be sure it’s a Ghost file? A lot of malware use compression techniques to by pass antivirus.