• Todas las Comunidades
    • Todas las Comunidades
    • Foros
    • Ideas
    • Blogs
Avanzado

Not what you are looking for? Ask the experts!

Kudos0

NIS 2009 needs to be a little less agressive with compressed file - it can corrupt compressed files

I noticed this in NIS 2008, but it's still doing it in NIS 2009.  I thought maybe the having the "Remove infected Files Automatically" under "Compressed Files Scan" turned off would help, but it doesn't do anything.

Basically the problem is when NIS 2009 thinks it finds a virus inside a compressed file.  It blows away the virus which can corrupt the compressed file making the rest of the files in that compressed files unreadable.

For example:

I have a zip file of email messages downloaded from Yahoo (in .eml format).  Inside one of those  eml files is a base64 encoded zip file.  Inside that zip file is a program that can decrypt passwords in Firefox, call Firepassword.  Even though this program works the same way Firefox does to decrypt passwords and can only decrypt passwords if the master password is specified NIS flags that program as Hacktool.PassReminder which is deemed a critical exploit.  This is wrong since the Hacktool.PassReminder category is supposed to be for programs that recover the windows or system password, but that's not really the point of this post.

So in case you lost track we have a program, within a zip file, within a b64 encoded file, within a zip file.  NIS 2009 removes the program from the inner most zip file.  Now trying to open the main zip file results in an error message that the zip file is corrupt.  So NIS corrupted a very large zip file to remove a program that wasn't doing any harm.  Basically it's the equivalent to corrupting your hard drive because a zip file in one of the folders might have something bad in it.

Fortunately I had a backup of the file and I then excluded firepassword.exe from scans, but if I forget to do so again if I reinstall and lose the backup file, NIS will go ahead and corrupt the archive file again.

BTW it also corrupted an email file with the same b64 encoded zip file that was stored elsewhere on the drive.

Respuestas

Kudos0

Re: NIS 2009 needs to be a little less agressive with compressed file - it can corrupt compressed files

Its only Norton doing its job. All you had to do was disable Norton temporarily.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: NIS 2009 needs to be a little less agressive with compressed file - it can corrupt compressed files

I'm sorry, but that's really a stupid response.  That's like giving someone a vacine that ends up crippling them while protecting them from disease and saying the vacine is only doing it's job.

Norton's job is to remove viruses and malware (the file it removed was neither) without damaging "good" files.  In this case the zip file contained thousands of "good" files and one file that Norton deemed "extremely bad" (again it wasn't that bad), so it the process of removing the bad file, it screwed up the good ones.

As for disabling Norton temporarily, I was doing a full system scan.  Something I won't be doing again any time soon, at least not without turning off scanning of compressed files.

Kudos0

Re: NIS 2009 needs to be a little less agressive with compressed file - it can corrupt compressed files

What happens if you turn off "Remove infected files automatically"?  Do you get any kind of option when an infected file is encountered in a zipped package?

It would be nice if NIS had a supervisory component that allowed it to work with the user in "unwrapping" a compressed file (you put in passwords as they are required -- it tests for infections).

Speaking of passwords, if a zipped file is password protected, it would be impossible for it to be checked for virus and might in fact produce false positives simply because of a random alignment of bytes.  On the other hand, if a file is not password protected, it should be possible to rename it and then extract uncontaminated data into a file with the original name but without the contaminated part.  Of course, is a zipped file contains a zipped file which contains a zipped file which ..., that is extremely suspicious behavior and should be treated as a collaboration with the user.  Multiply zipped folders with a depth greater than 3 levels would only be of value if they were used for extensively encryption purposes with passwords needed for each level.  Such files would be impossible to meaningfully scan.  The only kind that Norton would be able to recognize would be layered zip files without password keys and what would be the point of such files?

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: NIS 2009 needs to be a little less agressive with compressed file - it can corrupt compressed files

If you know its trusted and you want to view the compressed file then disable Norton. As in matter of fact when installing ceratin programs such as games they tell you to shut off your av.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: NIS 2009 needs to be a little less agressive with compressed file - it can corrupt compressed files


Dieselman743 wrote:
If you know its trusted and you want to view the compressed file then disable Norton. As in matter of fact when installing ceratin programs such as games they tell you to shut off your av.
Most things tell you that, almost everything, but I don't think the company behind the software telling you so is because your security software might produce FPs - I'm rather pretty sure they don't for that reason, because having your security software do that is not even acceptable. It's because a lot of software might have a significant negative impact on the installation process when it comes to speed.Message Edited by RavenMacDaddy on 09-21-2008 10:51 PM
Kudos0

Re: NIS 2009 needs to be a little less agressive with compressed file - it can corrupt compressed files

Morac, thanks for reporting the issue. I've asked somebody to investigate the scenario that you've described.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: NIS 2009 needs to be a little less agressive with compressed file - it can corrupt compressed files

Morac,  Thank you for the information you have provided regarding this issue.  I am currently working on this but need some additional insight from you and have sent you a PM in this regard. 

Thank you,

Message Edited by Brock_Banks on 09-24-2008 12:19 PM

This thread is closed from further comment. Please visit the forum to start a new thread.