use almost all the virtual memory during scan a big RAR file

first, sorry for my poor English (:NRD)

i have a folder that contains a lot of compressed files.
some of them are very big. ( i download them from eMule ~)
when i scan these compressed files, CavSn.exe uses almost all my memory.

[attachment deleted by admin]

one of these files is very big.
this RAR file is 1.01 GB (1,092,453,499 bytes), and it contains 2896 JPG files ,and the compress rate is 100%.

my physical memory is 768MB ,virtual memory is 800MB, OS is Microsoft Windows XP: Professional Edition, Service Pack 2, (05.01.2600.00)
CAVS edition is

[attachment deleted by admin]

so i think , maybe there is a bug when scan a RAR file? :THNK

sorry for my poor English again (:SHY)

…and that raises the question : can a .jpeg-file contain executable code ?
(a real .jpeg NOT the .jpeg.exe trap for people who don’t know what a file-extension is
or how to enable viewing of them )

Anyway - even if there should be a virus hidden in the archive it can’t do anything until
you execute the infected file …(you don’t execute a .jpeg, you view it) but to scan inside a RAR/ZIP archive any anti-virus must first unpack it to a temp-location,scan the unpacked files, then clean up all the temp-files…it can take a while…and since you can’t unpack a 1GB archive to memory if you “only” have 768RAM – Personally I exclude archives that don’t contain executable files from scanning …but then I only download things from trustworthy and known sources so this might not be
advisable for everybody …

btw : do you know the program ComicsViewer ?
It can display images (many formats like jpeg PNG etc, not just for comics ) inside archives, slideshow etc … without you having to extract the archive first !

thanks gordon :BNC

that file is a comic file, and i use MangaMeeya or ComicsViewer to see the comic books.
i know some Bad JPEG files contains virus, but i dont think this big comic file contains any executable code.

i scaned this file using AntiVir. it seems that AntiVir uses only 44,856KB physical memory and 41,412KB virtual memory.
and i dont think antivirus softwares need to exclude archives to memory before they scan them.
but when i use CAVS to scan this file, it uses 35,884KB physical memory and 1,048,728KB virtual memory. ???

[attachment deleted by admin]

Product Information
======= ===========
Build Version :
DataBase Version :
AllowDB Version :
Program Updates Version :

Program Files Information
======= ===== ===========
CMain.exe :
CavApp.exe :
CavSn.exe :
CavAud.exe :
CavMud.exe :
Cavasm.exe :
CavEmSrv.exe :
CAVSubmit.exe :
cavengine.dll :

Operating System Information
========= ====== ===========
Operating System : Windows XP
Operating System Version : 05.01.2600
Service Pack : Service Pack 2
Internet Explorer Version : 7.0.5730.11

I’m not sure if a jpeg can contain actual executable code but anyway …
Attached below are some screenshots of a ClamAv scan of a 600MB+ 7z-archive
(7zip uses LZMA, ridiculously good compression, often more than 50% on non-compressed files)

Processor : Intel Core 2 Duo E6600
Physical Memory :1024 MB (2 x 512 DDR2-SDRAM )

As you can see the scan took over 3 minutes and the computer was paging like mad …
…it nearly killed what firefox was caching …

This is because AV-scanners DO need to unpack archives before scanning them.
a: to the filesystem an archive is for all purposes a single file
b: since the content is compressed the files inside an archive do not look the same
as when de-compressed ( they are not bit-identical)
c : AV-programs mostly rely on ‘signatures’ to identify viruses. ‘Signatures’ are made
by finding some sequence in the virus code that is unique to this particular virus and then
use that as a kind of ‘fingerprint’ to spot the evil file no matter what it pretends to be .

This requires that the scanner-engine scans the actual file, not the compressed version as
this wont be bit-identical, thereby obfuscating the ‘fingerprint’ . This is exactly why many
viruses and trojans are multi-compressed and often encrypted/passworded, preventing
AV-software from scanning inside the archive (or exe-file)
A good AV should always flag files that it can’t de-compress and state the reason
and you should always scan executable files from an archive before you run them …

You can test how your AV treats archives that it can’t scan inside by downloading
any of the EICAR test-files :
and then archive them with 7zip using encryption (also of filenames)and password,
then scan it with your AV . nomatter what your AV tells you there is no way that it scanned the actual contents of the archive .

edit : or you can just see the results here : test-file :

7zip encrypted archive of :

quite alarming if you ask me !

[attachment deleted by admin]

thank you for your reply :BNC

i dont think antivirus softwares need to exclude archives to memory before they scan them.
this sentence seems wrong. My mistake.

my view is that, antivirus softwares do exclude archives to memory before they scan them, but i dont think antivirus softwares need to the whole exclude archives to memory.
i think antivirus softwares may have some ways to see the files in the archives, just like ComicsViewer can display images inside archives without excluding them.

my puzzle is , when i scan that big archive file (i am sure it is clean ), Antivir use only no more than 100MB memory, but CAVS use more than 1000+MB, and my harddisk spins very very busy (for the use of the virtual memory).

i dont think this is normal. maybe something is wrong.
i will do some more tests later. (:NRD)

yes, it is possible to extract and scan the files sequentially
but it still requires that the archive be opened… what about scan-speed, do
the two programs use the same time to scan the archive?

i have done my test! (:NRD)

first, i set my virtual memory from 800MB up to 1300MB.

then, i use CAVS to scan that big archive file again.

it takes me 1,086,716 KB virtual memory, and 17 minutes.

Antivir uses only less than 100MB memory (both physical and virtual memory) ,and just 2 minutes.

[attachment deleted by admin]

what does this sentence mean? sorry (:SAD) my english is poor…

gordon, if you have WinRAR, you can compress some file for test.

i compress some clean files by using ZIP format and RAR format, and for each format i use different compressed rate.

then i use CASV to scan them. every time i just scan one test file.

the ZIP files are all normal. but the RAR files are not very good.

for example , there are 17 clean files.
after i scan the ZIP file, CAVS shows to me that: Scanned 17 files
then i scan the RAR file. sometimes CAVS shows to me that : Scanned 8 files ???
or shows to me : Scanned 5 files ???
or even shows to me: Scanned 1 file ??? ???

i havent test the 7zip format.

maybe CAVS doesnt do well in scan various format archive files?

Just curious - does anyone have experience with CAVS scanning compression bombs? Given the slow and memory-intensive extraction and scanning of compressed files, does CAVS have a way of avoiding compression bombs and the resulting crash when the program attempts to open one?

What I mean is that ALL the anti-virus programs used by VirusTotal
give the impression that they have scanned the contents of the encrypted 7zip
archive but they haven’t because they CAN’T .
This will lead people to believe that the files inside the archive have been scanned
and found ‘safe’ when in fact they have not !

17 minutes to complete the scan ? There is definitely something wrong …

@AnotherOne : very good point !

File eicarcom2.7z

File eicar.7z

unfortunately, it seems that CAVS only does well in scanning ZIP files. but it is not support 7zip format.

[attachment deleted by admin]

i use different compression rate to compress

and you can download it to have a scanning test~ (:HUG)

CAVS fails to scan this test virus RAR file.

and this is ths result of AntiVir:

Starting the file scan:

Begin scan in ‘C:\test.rar’
[0] Archive type: RAR
→ eicar06.rar
[1] Archive type: RAR
[DETECTION] Contains code of the Eicar-Test-Signature virus
→ eicar01.rar
[1] Archive type: RAR
[DETECTION] Contains code of the Eicar-Test-Signature virus
→ eicar02.rar
[1] Archive type: RAR
[DETECTION] Contains code of the Eicar-Test-Signature virus
→ eicar03.rar
[1] Archive type: RAR
[DETECTION] Contains code of the Eicar-Test-Signature virus
→ eicar04.rar
[1] Archive type: RAR
[DETECTION] Contains code of the Eicar-Test-Signature virus
→ eicar05.rar
[1] Archive type: RAR
[DETECTION] Contains code of the Eicar-Test-Signature virus
[WARNING] The file was ignored!

now i am sure that CAVS doesnt support RAR format well (also other format like 7zip) .

[attachment deleted by admin]