Can Malware infect your pc without Executing??

be it decompresion bomb or any malware,it doesnt matter any kind,sandboxie will help you achieve you goals at protecting your pc and remain clean after deleting the content that is contain in the sandbox,again sandboxie

 

AFAIK one of the few (if not the only one) protections against decompression bomb is properly coded/configured AV that does not try to extract too many sub archives.

 

Now you are just plugging your fingers into your ears and going "lalala~".

As I've said, decompression bomb is as easily deleted as any other normal file with or without Sandboxie. Sandboxie makes no difference. Deliberate ignorance born from wishful thinking is not going to change that fact.

 

anyway i Never use a zip program, like Winzip, is an over-reaction and a pretty untenable position to take:thumb. Just be sensible about what you open.

 

also Most modern anti-virus software has some defences against decompression bombs

 

They should, after all that's been out for ages now

 

well in all fairness if you download a legit zip file from a legit website and it turned out to be the zip BOMB you wouldn't find out untill its too late would you.

how do set yourself a restrictive disk quota? would this method work?

as for sandboxie I doubt that would protect you, jmonge have you tested it in sandoxie?

Anyway this is partly why I created this thread to find out about other threats that can damage your system without the need to excecute/ run etc
preventing malware from Executing/installing and running is easy, most of us are protected from that by using sandboxie and HIPS etc

anyone else know of any security product that can protect against zip bomb?

 

they even use it to open advertisement thanks for adds blocker

 

what about returnil will protect your system after reboot it the bomb will de deactivated plus no changes allow or system alteration after reboot.

 

Malicious code doesn't have to be an executable file per se. It can be in the form of a DLL and be executed by RUNDLL32.exe, a normal system process that performs many other legitimate functions. Malicious code can be added to legitimate system files so that when a specific function that's handled by that file is performed, it can be done differently or something else entirely also happens. At times, malicious code replaces whole system files with their own. Windows Scripting Host isn't malicious but the scripts it runs can be. Even a text file can be malicious under certain circumstances, depending on what opens it. A batch file is basically a plain text file that's opened by cmd.exe or command.com, depending on what system you're using. In this instance, changing the file extension can be a malicious act.

I'm not sure what decides if an app is an anti-executable or a HIPS, too many marketing games with the terms. I'm assuming an anti-executable just allow/deny individual processes while HIPS can control their parent-child dependencies and other activities. Simply blocking malicious processes and allowing the known good ones will not protect you from malicious code that's executed by known good process. That's where classic HIPS can outperform an anti-executable, by giving you control over the activities of allowed processes.

 

i also know even i never tried but i know it will contain it ofcourse inside the well configure sandbox.it will do the job,if you you configure to auto delete the sandbox on close of the apps,it will delete all.reboot and nothing damage will happen.:thumb
i didnt tested with it but sandboxie was and it is tested againts worse stuff than a decompress bombs with sucess

 

it is a very interesting conversation,how ever i will go for coffee,i need it,i will be back later on.

Prevention is Better than the Cure

 

I really don't know what kind of unpacker are you using, but I personally never hit any that'd keep extracting stuff more than one level deep by default. Don't see how it could be late at any moment.

Not really hard to Google for it? Of course it would work... it limits the disk space a user can use, preventing them from filing up the entire drive with junk (be it this compressed nonsense or pr0n or whatever). The partitions need to use NTFS, not FAT32 of course.

There is no real permanent damage, all it does is wasting diskspace, potentially filing up the disk. (Yeah, unpacking the stuff will eat some CPU resources as well but who cares.)

As already said, antivirus apps can be set up to limit the recursion level on nested archives in case you care about this (email scanning or whatever similar). As for manual unpacking, seriously go use your brain or restrict your disk usage via quotas if you can't. Absolutely no need for third-party products here.

 

The problem is you can not know is something malware or not before this something does something suspiciouse. For example you download new picture viewer, start is, and then your HIPS tells you it tries to tamper other processes. This is definitley a point to stop a viewer until this behavior is clearly explained by a vendor. (this is just one example of many possible where simple antiexecutable cannot help).

 

if only things were that simple...

while it's true that a malicious 'thing' must have it's instructions followed in order to do something bad, what the average person thinks of as execution only accounts for a portion of the ways in which that can happen and as such things like anti-executable will only protect against a portion (though it may be a big portion) of malware...

application whitelists like anti-executable can cover a whole lot, but they won't handle exotic execution, and if you think you don't need to worry about exotic execution then consider macro viruses - those were a high profile, mainstream threat that used an exotic form of execution (interpretation by a trusted app) which wouldn't be stopped by traditional application whitelisting and required special security enhancements be added to the interpreting app itself to be able to block them in a generic way...

 

Sandboxie offers the perfect protection against anything when configured to do so.

Here I am trying to unzip a "42.zip" which is an archive bomb.

 

hey franklyn thanks for the clear explanation,thats what i tried this guy to understand and i gues you were more directo so thanks for the screenshot

 

Only default drill down level of Avira on access guard and exclusions file size is very low compared to for instance A2 malware can handle.

I always increase recusive scan depth (drill down level in archves) to five and remove file limit size (of Avira)

 

Please describe how to configure this properly

 

Really depends on personal taste... If you download some, ermmm... questionable stuff, it's never more packed more than 3 or 4 nested levels - not because it'd be a decompression bomb, but because it makes it harder to find out the real content for obvious reasons. An average BFU won't even be able to unpack this deep enough, you see tons of stupid question about "unable to install this .r01 or .001 application" on various forums already.

With this kind of stuff, you could sort of DoS some mailservers or virus-filtering proxies which are configured badly. For desktop users, the threat is something I wouldn't care about at all. Worst case, you'll waste some time to delete the junk manually.

 

Been discussed many times and I'll leave it up to Mitch's great post over at SB's forum for reference.
Mitch's - Control Your Sandbox

 

Quote, very well described, noone_particular !

 

Yes, but from where comes malicious *.dll? I think from malicious *.exe which needs executing to load malicious *.dll.

for 42.zip it is just AV/AS scanner problem nothing more...

What with "autorun.inf"?

 

It,s very interesting. I will like to test it.

Can u tel what type of files these are? I mean file extensio.

Can any one PM me such a sample?

Thanks

 

As I know dlls are executable files.