[Fixed] Non-english named files in zip archive cannot be deleted

Hello,

An infected Japanese-named file in zip archive cannot be moved-to-chest or deleted. Avast returns error code 18.

Attached archive has eicar file named “テスト.com” (Japanese Katakana). Password is “virus”.
Please change “.txt” into “.zip”.

Hello!

To my opinion, it’s always not a good idea to cut out an infected file from an archive (from any kind of archive). An possibly, the compression generates a code sequence which is recognized as viral…
If you can unzip that archive (to a new created folder), ignoring the alert, and then scan this folder - is there still a virus, and still in that file?
When unzipped, why not simply delete any infected file and zip the rest again (and discard that folder)? Or should it be better to discard the entire archive immediately? (…since we do not know anything about this archive.)

Eric March

Thanks for the reply.

Actually, this isuue is reported from one of my acquaintances, so I don’t have original archive… :-
But I confirmed this happens when I use eicar files, and I hear avast4 can do this thing, so I reported.

When unzipped, why not simply delete any infected file and zip the rest again (and discard that folder)? Or should it be better to discard the entire archive immediately? (…since we do not know anything about this archive.)
You are right, I would do so when it happens to me. :)

What did you use to create the ZIP? This sample is not very useful because it is in “one layer”, i.e. it cannot be tested without repacking.
(It would be better to pack the Eicar into a non-encrypted ZIP first, then this ZIP into another password-encrypted ZIP and attach that file here.)

Thanks.

Repacked.

test.txt (Encrypted ZIP) → test.zip (Non-encrypted ZIP) → テスト.com
Password is “virus”.

Thanks for your support.

Edit: Uploaded to mediafire.

There are always going to be problems when you change the file type as first the avast forum is going to save the attachment as a text file, which may be what Igor is on about (one layer, a flat text file). So when you download it, change the file type back to .zip and try to open/unpack it you get an error, see image.

So it may be best to place this on an on-line storage media, like mediafire as a .zip file so it can be downloaded as it was saved and then they should be able to test.

Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.

I’m sorry, I didn’t notice that.

Uploaded here:
http://www.mediafire.com/?lyn5z2tjgn5

OK, that works I was able to download it and open it with 7zip. I was able to extract the internal zip file (using the virus password). I was then able to scan the inner text.zip using the right click ashQuick.exe scan, image 1 (shows alert).

I then clicked the Show results, which shows the non-English file name inside test.zip as infected, image 2 and the default selection of Move to chest.

I then clicked the Apply button and checked the avast chest, image 3 and that showed the complete test.zip file had been moved to the chest.

So for me it was able to deal with the detection and move to the chest of the whole archive, it didn’t try to extract the infected file within the test.zip archive. It may depend on what your settings are for the ashQuick scan settings (Scan Computer, Scan Now, Scan from Windows Explorer, Settings) are but I believe the default is Try to remove only the packed file from the archive; if it fails, do nothing. Or if you have the if it fails, remove the containing archive.

Interestingly enough I have the default setting, image 4, which should do nothing if it isn’t able to extract the file, but it obviously didn’t do that, but it went ahead and removed the archive file (test.zip).

The windows File System error 18 = There are no more files. So I’m not sure why you got that error.

Thanks for testing and sorry for late response.

I have same settings as yours, but in my case avast doesn’t move-to-chest whole archive nor eicar file, just returns error 18.
I don’t know why avast behavior is different… ???

I hate mysteries and inconsistencies like this, so hard to track down.

In your image 2 you had the option to Move to the Chest, my image 2 and finally did you Click the Apply button ?
If so was that where the error came from in your image 2 ?

If you didn’t but just closed that window using the Close button at the bottom of my image 2 (or X in top right corner), then no action will be taken ?

I clicked Apply button, then the window shows error 18 as my image2, with no special messages.
When I chose Delete or Repair (of course this doesn’t work), same error returned.

If you didn't but just closed that window using the Close button at the bottom of my image 2 (or X in top right corner), then no action will be taken ?
If I just close the window, no action taken.

I changed my settings to “Always remove the whole archive”, then whole archive is moved-to-chest successfully.
When I use other two options, then error 18 appears.

Sorry for unpleasant situations…

No problem.

I just wonder why mine works and your doesn’t and despite what my settings are it removed the whole archive to the chest and that really isn’t what I want. So there is some inconsistency there. I would rather that it threw up an error rather than moving the whole archive, at least it is alerting me and I could manually remove the infected file in an archive or personally choose to remove the whole archive.

I don’t know if avast has actually been set so that if there is actually only one file in the archive (as in this case) it just move the archive. In which case it would obviously act differently to my settings. So hopefully Igor may grace us with his presence once more ;D

I hope so too. I’ll wait for their response (maybe they’re on holidays ;D).

Of course, any ideas or suggestions will be appreciated.

Edit: I uploaded new test_set.
http://www.mediafire.com/?3j0mokygk1d

“test_set.zip” (Password: virus)

  • “eicar+eicar.zip” (Japanese filename eicar *2)
  • “eicar+text.zip” (Eicar and innocent text-file)
  • “eicar_only.zip” (Same as first “test.zip”)

Seems to happen only with Japanese locale (well, not only Japanese, but somehow related to the characters in the archive).
I think I found the problem… I’ll fix it somehow in following few days.

Any thoughts on why it sent the whole archive (though it only had that one file in it) to the chest, despite my settings saying do nothing if the file can’t be extracted ?

Is it as I suggested since there is only one file in the archive it doesn’t make sense to extract ?

Basically yes, in specific situations (specific archive types, …) it doesn’t really make sense to leave an “empty archive” behind. And while deleting the whole archive, why not send it to the Chest as whole, instead of the file itself - might be handy for subsequent restoration.

I’m glad to hear this issue will be fixed soon. :slight_smile:
Thank you!

This seems practical… but maybe there should be some description about this (in help center?).

Btw, I believe this should be fixed by now (for a few days already).

Confirmed :). Thank you very much!

And thanks to DavidR, for your assistance! :slight_smile: