CAV Manual & Context Menu Scan

khanyash · December 23, 2011, 1:45pm

CAV manual & context menu scan if detects a malware in an archive quarantines the whole archive instead of the detected file.

I think it should only quarantine the detected file, right?

Thanx
Naren

Bitterboy · December 23, 2011, 10:55pm

It was a while ago, but a had a similar issue.

Wanted to submit a file as a false positive (it was an archive file of Sony OneCare software). CIS quarantined the whole archive, even though the AV indicated the infected file was within the archive. Therefore, the archive with the infected file, was too big to send to Comodo or scan online (>20 MB).

Forticlient Enpoint Security Free was able to isolate the file so I could submit it to Comodo and scan it with Virus total to verify that it was a false positive.

Citizen_K · December 23, 2011, 11:17pm

Moving to Wishlist - CIS.

SiberLynx · December 24, 2011, 12:05am

Hi Naren,

There are several issues with your request

1) You should never set auto quarantine/auto-delete using with any AV in the 1st place
Do you have an option like just Notify/Alert?
If so – problem solved. Decompress the archive and submit the suspected file… or if you are sure that it’s malware - just delete the file & make another archive without it. The latter could be dubious because in some cases that will break the whole essence of the archive if that’s, say some installation/ISO/etc.
It may work in case that’s a “set of random files” being compressed

2) That is a common practice, as far as I know, to quarantine whole archive.
Thing is- in many (if not most cases) decompressing during the scan performed in memory & then the Software just keeping its internal flag for that in order to show what happened.
… but even if in some implementations there is physical decompressing of files into “Temp” disk area,
what do you mean by quarantining just that file?
And then what (see #1)? Your AV should handle compressing all other files back without the suspect?
And further … after you submit the file and find that it’s FP and decided to restore your AV should remember that it was part of some archive and fire up ADD procedure of that particular archive?
Can you imagine the load of (unneeded!) work that you would ask from your AV in order to achieve that?
Well, if it is integrated Shell Extension Scan of one file … 88) I still do not believe it is necessary and makes sense,
but in case of manual/full/custom scan(s) where there could be hundreds of archives… (No comments )

So the only right thing to do as I always seeing it – disable auto-quarantine/auto-delete….
In addition one day that will save your whole system from being damaged beyond repair.

Cheers!

khanyash · December 24, 2011, 11:22am

I mentioned this here to know if it is the right thing to quarantine the whole archive or only the detected threat should be quarantine.

I just thought how archive is handled by CAV. So I created an archive with few software setups below 40 MB & I added one harmless malware sample in that archive & tried with realtime, rightclick & custom scans.

Realtime scan quarantined only the detected file. Rightclick & custom quarantined the whole archive.

So I mentioned here to know your opinion if this action is right or should be changed.

Thanxx
Naren

mad-one · December 30, 2011, 9:13am

The action of quarantining the entire archive in a complete scan is correct. Not everyone even uses onaccess due to issues with impeding or crashing other software if it is enabled. If i remember correctly some malware have been known to spread from memory load only and opening an archive for extraction does load the archive contents into memory.