Decompression bomb which is not

Hi,

I got a virus that Avast found and deleted (although only on full scan - the real-time scan failed to detect virus, which is very disappointing).

Anyway, because real-time did not detect it - it got into Windows backup file, and Avast also found it there. But Avast did NOT delete it from backup file, saying the archive file is decompression bomb. After getting tired of seeing alert on every full scan, I opened the backup file in Explorer (it is just .zip), and deleted this file from archive - which Explorer did instantaneous, less than a second.

So if Explorer can delete the file from archive instantly, why it is hard for Avast to do the same?

Topic is from 2004

What is a decompression bomb http://forum.avast.com/index.php?topic=8943

I do understand what it is :slight_smile:

But to answer my own question, why it was easy for Explorer to handle the bomb: turned out it was not. Explorer did not actually delete the file, just failed to report an error, and simulated removal of the file until I reopened archive and checked again.

Because deletion is a simpler task than unpacking all the files in order to be able to scan them. It is just a notice rather than an indication that it is malicious, so deletion wasn’t necessary.

The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

David, I think you are mixing up the different cases.

You are writing about the warning about file identified as decompression bomb, when it is just a warning notice. That would make sense if Avast was having problem scanning the file (I do get some of them occasionally, but this is not about one of those cases).

But as I wrote, in this case Avast did scan the archive file, identified a REAL virus in it, but could not DELETE the file from archive (which you write should be a simpler task than scanning). It is not just a notice in that case, it is real virus that could not be deleted, presumably because the containing archive (NOT the file itself) is “decompression bomp”. So it is the other way around - deleting turned out to be harder for Avast than scanning.