Heuristic.AchiveBomb ...now what ...?

Discussion in 'other anti-malware software' started by mypenry, Mar 4, 2007.

Thread Status:
Not open for further replies.
  1. mypenry

    mypenry Registered Member

    Joined:
    May 2, 2006
    Posts:
    85
    Location:
    Central Thailand
    HI , I am fairly new to computers, and have been running a-squared 2.5 beta Free for some
    Time now without any problems but over the last two day’s after using the deep scan facility,
    The program keeps alerting me to the same infection …. Its shows this …..

    1. Heuristic.AchiveBomb in C:/ Program Files / EST / updfiles/upd64.ver
    2. Heuristic.AchiveBomb in C:/ Program Files / EST / updfiles/upd341F.ver
    3. and shown as unknown
    and I put the two Infections in Quarantine and decided to seek help,

    As far as I can see and understand the EST, is the
    NOD32 program I have also installed..?

    And I think may be every time NOD32 ( Version 2.7 ) updates, the a-squared deep scan shows
    A new update file form NOD32..? As a infection for some reason, or may be
    As a newbie, ive got it all wrong…?

    Update ... to day I ran a second new deep scan and the two infections were found again
    which ive yet again put in quarntine , I can't understand how if the first time the infections
    were put in quarantine, how come to day on this new second deep scan its found the
    same two infections once again ...?

    Could some please advise what to do next…? Or can comment on what
    The deep scan findings mean..? , ive done a search but it’s a bit confusing for me….

    Thanks ……
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    They are false positives. A2 is detecting NOD 32´s files.
     
  3. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Hi mypenry,
    I'm almost fairly new to computers, too, take that into account when reading this.
    There are two basic types of malware detection, that I know of. One based on the name or other identifying feature of a malware file, measured against an updatable database (definitions) the other based on a rather magical analysis of a file's likely behaviour (heuristics). Nr. one's advantage is that it usually can nail the file, but the file has to have existed first for the definition to be worked out. So it's always a step behind. Nr. two's advantage is that it can often (if you're lucky) detect brand new malware without needing a comparison file. The drawback is a relatively high number of false positives. So if you're using a program like this, (there are quite a lot, they tend to use a combo of detection means) you have to do further analysis of heuristically flagged files before condemning or OK-ing them. Getting to know files that are installed by different running programs make this a bit less daunting, but there are tens of thousands. You start to get the hang of it a bit after a while. http://www.virustotal.com/en/indexf.html is a useful tool for identifying these, sometimes. (You upload the file, then wait while it is scanned by a "jury" of different scanners.) In your case, every time NOD updates, it creates new files, but (I think) with the same names as those quarantined.
     
  4. divedog

    divedog Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    265
    Location:
    Seabeck WA
    The file for NOD should be ESET not EST I would take a second look at that file, maybe upload it to virus total.
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    a squared have had false positives with heristic archive bomb in the past.
    so you could upload it to virus total and then put in quarantine for the time being
    lodore
     
  6. mypenry

    mypenry Registered Member

    Joined:
    May 2, 2006
    Posts:
    85
    Location:
    Central Thailand
    Thanks Guys for your replys....

    In the main programe files theres a file called ESET, when I click the +
    it opens the sub files , when I look in... updfiles....
    the Two files that keep being shown by a-squared as being infections...

    Heuristic.AchiveBomb in C:/ Program Files / EST / updfiles/upd64.ver

    Heuristic.AchiveBomb in C:/ Program Files / EST / updfiles/upd341F.ver

    are shown there , but its only the a-squared scan that shows the EST , part..?

    i cannot understand why the a-squared scan shows the infections in EST, and not ESET ....?

    divedog , can you explaine please about...... virus total.

    any further advice would be most greatful.....

    thanks.....
     
  7. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I've not known Asquared, nor any other application, to mis-identify the file location. They just use the file path that's on your computer.
    Have you looked through the program files folder, with file options set to show hidden files, for it? Somewhere in C:/Program Files there is a sub-folder titled EST.
    When you go to the virus total site, near the top of the page is a tab to browse and upload a file. Browse to and find the file. Then click upload, and, if its not too busy, it will be scanned by several different scanners, and the results displayed. It's not necessarily conclusive, some of these scanners may ID it as a FP. (Asquared will flag it, since it already has.)But if the majority, or even a third of them identify it as malware, I'd look at taking further action.
    Let us know the results.
     

    Attached Files:

  8. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Archive Bombs or Decompression Bombs are archives with a compression ratio that it's too high (for example 1:1000). They were used to perform DOS attacks (see Heavy Nesting, page 2 of Trouble Makers) but most detections are harmless archives.
     
Loading...
Thread Status:
Not open for further replies.