Can a compressed file infect a PC?

Discussion in 'other anti-virus software' started by mimuweb, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. mimuweb

    mimuweb Registered Member

    Joined:
    Sep 28, 2009
    Posts:
    70
    Hello guys. Last month, i've been testing some AV suites, like G-Data, F-Secure, Avira, Nod32, Avast...., downloading some crap keygens and cracks in compressed files (rar, zip...), obviously in a virtual environment. Some AV didn't detect those infected files, or they detected those malware when i uncompressed them. My question is: can a compressed virus infect a PC if i don't extract the infected files?
    Curiously, i downloaded the eicar test (compressed) in a partition of my hard disk, with the antivirus deactivated. When i activated my antivirus, none of the tested solutions told me he had a virus in that rar file. Only when i tried to unrar this file, antivirus blocked the attack.... but it was an exception: Comodo Internet Security. With the same procedure, when i activated CIS and browsed in this partition, automatically CIS said me there was a virus in eicar file :eek:. Same in a compressed file that it had a crack infected by a trojan, CIS alerted me..., without having to open or unzip the file. Seriously, i had never seen this behavior in another AV...

    Best regards

    Miguel Angel
     
  2. brunk

    brunk Registered Member

    Joined:
    Mar 10, 2011
    Posts:
    2
    This is usually because the other AV don't have "scan archives" enabled by default, or they just don't have that option. Comodo will scan those by default with both a manual and scheduled scan. Avast has it disabled (i think) by default, you can turn it on easily however.
     
  3. mimuweb

    mimuweb Registered Member

    Joined:
    Sep 28, 2009
    Posts:
    70
    Mmm, but i haven't scanned those infected files with CIS (no manual or scheduled scan), only i've opened "My computer", D: partition, and automatically CIS say me there is a virus!...
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Compressed files cannot infect a pc without extracting it. That is unless it has an executable format.
     
  5. Nevis

    Nevis Registered Member

    Joined:
    Aug 28, 2010
    Posts:
    786
    Location:
    255.255.255.255
    no, compressed file dont execute like exe , so dont infect PC. moreover its always recommended to not scan them as they take lot of time for scanning (involves extraction etc. )

    moreover if it contain virus then Av would still detect it on execution or during extraction.

    hope that clears your doubt
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Archives (ZIP,RAR,7z etc) cannot infect the computer by themself when EXE or any other malicious file is inside. They always have to be unpacked first where real-time protection catches them.

    Packers (UPack, UPX, PeProtect, PECompact etc) are a different kind of compressors. They usually extract and execute directly from memory. But then again, all half decent antiviruses have unpacking engines for these buggers.
    Plus, the end user doesn't really have much control over these as they work very transparently and you can't really see if the file is packed or not unless you analyze it's structure.

    SFX archives are kind of blend of both types except they still unpack to the HDD and you can simply open them with 7-zip or WinRAR using right-click "Open archive" command. This way you can inspect the content before actually extracting the stuff. Often malware is packed in these and then another filetype icon is attached to it to give impression of being something else than it actually is. Upon clicking, the content is unpacked and usually executed by the SFX archive. These are a bit more dangerous than archives without the extraction engine integrated and if your AV doesn't catch it it will run right away where with normal archive you can still decide if you really want to run it based on the looks of the file after extraction (name alone, icon, extension, whitespace, size, digital signature etc).
     
  7. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    think he meant self extracting executables
     
  8. mimuweb

    mimuweb Registered Member

    Joined:
    Sep 28, 2009
    Posts:
    70
    Thanks for your replies. This forum is amazing!

    Best regards

    Miguel Angel
     
  9. jasonbourne

    jasonbourne Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    247
    Very nice explanation there RejZor.

    My Avira Premium / Avast IS detects them even in the process of downloading zip/rar files that are infected, stops the download and prompts for a decision. But you have to set them to scan archives.
     
Loading...
Thread Status:
Not open for further replies.