Running the managed client (build 4.6.476 vps 614-0) here and over the weekend about 8 zip files were flagged as containing a program that is infected with the Win32:Nsane virus and were moved to the virus chest. This morning I came in and right clicked on the files in the virus chest and extracted them to a test location. I then scanned one of the exes through the virustotal website and the only scanner that detected the virus was avast. Reading the other article about false positives on nsane I rescan the files in the virus chest and two are not infected (fixed false positives I assume). I have sent the rest off to avast for further inspection as virustotal thinks at least one other is not infected. Now comes the problem, I can not restore the zip files back to original location. When I right click I can click on delete, extract, scan, email, properties and refresh. Add and Restore are greyed out. Is restore now greyed out because I extracted the bad files for testing? Note both the zip files that are now virus free and still infected exhibit the same behaviour. How can I restore these zip files back as I believe they are false positives?
The “restore” option is not available when the quarantined file comes from an archive (so I believe it wasn’t the whole ZIP files that were moved to Chest, but rather some files from within the ZIP archive). avast! isn’t able to pack the file back to the archive in this case, sorry.
Well we are both somewhat correct Igor. In this case the zip file contained only 1 file which avast believes is infected. Therefore it deletes the file from the zip folder and being that it is the only file in it either avast or windows deletes the zip archive. I thought it quarantined the whole zip file because the zip file was gone. I didn’t know at the time that the zip file only contained the one file, interesting.
OK, you are right. There’s a special “heuristics” implemented for removing the infected (=detected) files from archives. If there’s only one file in the archive (and some other conditions are satisfied), the whole archive is deleted after the single file is removed from there.
It is not needed to keep the empty archive on disk (nothing more that a header, having tens of bytes) because
it’s pretty useless
it even confuses users (e.g. if they receive an infected file inside of a ZIP archive by e-mail and avast! removes only the file from the ZIP file; there’s hardly anything left in the e-mail, but the user can see the attachment (containing an empty ZIP) and thinks that the virus was left there).
Sure, this can be simply tricked by including another small (useless) file into the archive… but it’s probably better than nothing.