HI , I am fairly new to computers, and have been running a-squared 2.5 beta Free for some
Time now without any problems but over the last two day’s after using the deep scan facility,
The program keeps alerting me to the same infection …. Its shows this …..

1. Heuristic.AchiveBomb in C:/ Program Files / EST / updfiles/upd64.ver
2. Heuristic.AchiveBomb in C:/ Program Files / EST / updfiles/upd341F.ver
3. and shown as unknown
and I put the two Infections in Quarantine and decided to seek help,

As far as I can see and understand the EST, is the
NOD32 program I have also installed..?

And I think may be every time NOD32 ( Version 2.7 ) updates, the a-squared deep scan shows
A new update file form NOD32..? As a infection for some reason, or may be
As a newbie, ive got it all wrong…?

Update ... to day I ran a second new deep scan and the two infections were found again
which ive yet again put in quarntine , I can't understand how if the first time the infections
were put in quarantine, how come to day on this new second deep scan its found the
same two infections once again ...?

Could some please advise what to do next…? Or can comment on what
The deep scan findings mean..? , ive done a search but it’s a bit confusing for me….

Thanks ……

They are false positives. A2 is detecting NOD 32´s files.

Hi mypenry,
I'm almost fairly new to computers, too, take that into account when reading this.
There are two basic types of malware detection, that I know of. One based on the name or other identifying feature of a malware file, measured against an updatable database (definitions) the other based on a rather magical analysis of a file's likely behaviour (heuristics). Nr. one's advantage is that it usually can nail the file, but the file has to have existed first for the definition to be worked out. So it's always a step behind. Nr. two's advantage is that it can often (if you're lucky) detect brand new malware without needing a comparison file. The drawback is a relatively high number of false positives. So if you're using a program like this, (there are quite a lot, they tend to use a combo of detection means) you have to do further analysis of heuristically flagged files before condemning or OK-ing them. Getting to know files that are installed by different running programs make this a bit less daunting, but there are tens of thousands. You start to get the hang of it a bit after a while. http://www.virustotal.com/en/indexf.html is a useful tool for identifying these, sometimes. (You upload the file, then wait while it is scanned by a "jury" of different scanners.) In your case, every time NOD updates, it creates new files, but (I think) with the same names as those quarantined.

The file for NOD should be ESET not EST I would take a second look at that file, maybe upload it to virus total.

a squared have had false positives with heristic archive bomb in the past.
so you could upload it to virus total and then put in quarantine for the time being
lodore

Thanks Guys for your replys....

In the main programe files theres a file called ESET, when I click the +
it opens the sub files , when I look in... updfiles....
the Two files that keep being shown by a-squared as being infections...

Heuristic.AchiveBomb in C:/ Program Files / EST / updfiles/upd64.ver

Heuristic.AchiveBomb in C:/ Program Files / EST / updfiles/upd341F.ver

are shown there , but its only the a-squared scan that shows the EST , part..?

i cannot understand why the a-squared scan shows the infections in EST, and not ESET ....?

divedog , can you explaine please about...... virus total.

any further advice would be most greatful.....

thanks.....

I've not known Asquared, nor any other application, to mis-identify the file location. They just use the file path that's on your computer.
Have you looked through the program files folder, with file options set to show hidden files, for it? Somewhere in C:/Program Files there is a sub-folder titled EST.
When you go to the virus total site, near the top of the page is a tab to browse and upload a file. Browse to and find the file. Then click upload, and, if its not too busy, it will be scanned by several different scanners, and the results displayed. It's not necessarily conclusive, some of these scanners may ID it as a FP. (Asquared will flag it, since it already has.)But if the majority, or even a third of them identify it as malware, I'd look at taking further action.
Let us know the results.

Archive Bombs or Decompression Bombs are archives with a compression ratio that it's too high (for example 1:1000). They were used to perform DOS attacks (see Heavy Nesting, page 2 of Trouble Makers (http://www.av-test.org/down/papers/2002-01_vb_trouble.pdf)) but most detections are harmless archives.