Scan inside archives.....do we really need that?

[Guest]

[Maniak2000]

I mean it can take a long time (granted CIS AV skips files larger then 40 mb by default but still....), most (if not all) AVs  can't delete infected file from within archive (usually entire archive is deleted) and even if there is an infected file within archive it will most likely be detected on extraction (you can't really execute a file within archive without extracting it somewhere first be it specific or temp folder).  Even installers are more or less (more complicated) archives and they "extract" files during install.  So I think this option is obsolete, what do you think?

[panic]

I agree with you. An infected file inside an archive is inert - it is just occupying space. Similarly an infected sitting on your hard disk is just taking up space. They are only an issue when they are executed.

I've had the archive scanning turned off for years.

Ewen :-)

[cheater87]

I would rather have the AV quarantine or disinfect the infected file rather then just leave it in there.

[Siketa]

I would rather have the AV quarantine or disinfect the infected file rather then just leave it in there.

It is as dangerous as your zipped keygen.  

[Maniak2000]

I would rather have the AV quarantine or disinfect the infected file rather then just leave it in there.

Well yes, but in this case you loose entire archive instead of just the infected file.

[SivaSuresh]

I agree with you. An infected file inside an archive is inert - it is just occupying space. Similarly an infected sitting on your hard disk is just taking up space. They are only an issue when they are executed.

I've had the archive scanning turned off for years.

Ewen :-)

I too do the same, but found lately that Turning off "Archive Scan" also disables scanning Self extracted/executable archives, which in my opinion is an issue. I already posted a special topic on this.
https://forums.comodo.com/wishlist-cis/separate-archive-scan-and-sfxruntime-packers-scans-t79672.0.html;msg571018#msg571018

Besides that, I totally agree with you and I always keep "Archive Scan" disabled on my Computer.

[Cassette]

Would writing exclusions for archive file type extensions be a workaround for that problem, SivaSuresh? As in put *.rar in the exclusions?

[panic]

Would writing exclusions for archive file type extensions be a workaround for that problem, SivaSuresh? As in put *.rar in the exclusions?

A self extracting archive has a file suffix of .EXE, not .RAR

Ewen :-)

[John Buchanan]

I believe the idea is to scan the self extracting files but not the archived compressed files.
If it works this would be a good work around.

[SivaSuresh]

Would writing exclusions for archive file type extensions be a workaround for that problem, SivaSuresh? As in put *.rar in the exclusions?

I tried sometimes and it works. But, you have to manually add many kinds of archive extensions to the exclusion list. It's tidious but works.

But, as I already mentioned, I am tired of doing all these workarounds. I am just disabling the whole archive scans at the expense of some loss of security.

The only cases when we face a security breach is where we scan some folders, feel them as secure and for some reason switch off CAV and D+ to run them. It happened to me twice with two installers, since I got too many D+ alerts and slow performance if I ran them with CIS on. Only in such cases, it causes an infection. Otherwise, the CAV realtime agent would catch the malware inside an SFX archive when it executes and extracts itself in memory.

Hope this clarifies the issue to you.

I am still waiting for a proper solution from the DEVs.

[Tags:]