WebShield file scanning problem when at a message board

After surfing at EmuTalk.net, which is a web site that’s trusted, the following messages are logged in the Avast event log:


http://img260.echo.cx/img260/5711/avasterrori0fl.th.png


http://img260.echo.cx/img260/2264/avasterrorii0zi.th.png

It’s also the same error code, which means a decompression bomb, according to one of you here. But, with me knowing that web site, I doubt that it’s a decompression bomb!!!

There’s no doubt this is a decompression bomb.

A decompression bomb can be a file thar is 100B compressed and 30KB uncompressed - this is also considered as a decompression bomb.
I admit that while technically correct, the file is not dangerous in any way and shouldn’t be probably tagged as a “bomb”.

Thanks Vlk

Vlk,

forgive me if I fail to understand your response on “decompression bombs”

I too get the same errors logged in my antivirus event log with the same error for perfectly innocent message forums that contain no reference to compressed files. I also get it for seemingly innocent websites that one day log the error and the next day do not … here is my most recent example.

What “compressed files” am I missing?

Some forum software (PHP-based) send contents in compressed format (namely, in the GZIP format). This is in accordance with the HTTP 1.1 standard.
WebShield is decompressing the data en route.

Some objects (such as uncompressed images with large areas of the same color) may look like a “decompression bomb” simply because their GZIP compression ratio is say 200:1.

Does that make sense?

I agree that avast probably shouldn’t warn in such cases but it’s not really simple to distinguish…

Thanks
Vlk

Sorry to persist.

While I confess not to understand the niceties of the php based GZIP format (nothing of which I see in the source of the web page faulted in my example) and I understand that you are saying that this probably should not be flagged … my point was more to one of inconsistency.

Why was it flagged as an error on 05/19 and why is not flagged today? I doubt very much that the source of this page changed between these dates.

…maybe because you now have version 4.6.665 that doesn’t log these any more…?

That sounds emminently more reasonable.

Thanks.

But actually I’m not 100% sure about this (about the fact that 4.6.665 doesn’t log them anymore).

In any case, they’re more like informational logs that warnings, really.
No need to worry :slight_smile:

I went back and typed in the (I wonder one one cannot copy from event log windows) urls for a couple of the message forums errors too and they displayed without any further event errors.

Although my antivirus event log goes back to 01/14/2005 the a47e errors were only logged in the window 04/24 to 05/19.

I thought a decompression bomb was a malicious archive that uses the HDD until there’s no more free space and thus designed to crash a PC when extracted.

How big is yours … is it as big as mine?

Let’s admit that software providers like Avast have to strike a balance and decide on some decompression level or are you suggesting that error warnings should be specific to every user?

That’s with 4.6.665!