Overcompressed Files

Dear user,

It would be interesting to see where you found the relation between that file and a Vundo infection.

To be more precise - Overcompressed means that BitDefender skipped scanning within that archive because unpacking it proved to take up too many system resources. The content will be scanned on real time access if needed.

As Cris stated, the i386 folder contains files from the installation media of your operating system. The Apps folder is a non-standard location on some modified, unofficial Windows installation CDs that contains applications that will be run as needed during installation or from a post install application.

The file vcredist_x86_ENU.exe corresponds to the Microsoft Visual C++ Runtime library - English redistributable. Same file name is used for multiple editions of the file.

If you have any doubts, please follow the above instructions so we can check the file.

I would be curious about this too. I got the identical message, and that was after installing and running bit defender for the first time ever. Don't know if it makes any difference but the D drive is my Recovery drive and I don't actively ever save anything to that drive. Also running Vista premium.

Please upload the file, as Cris suggested.

Has it been determined if this is a virus of some sort or just a false positive? I'm having the same issue.

Hello Corey,

The state Overcompressed means that the file(s) were compressed in an unusual way and BitDefender failed to correctly extract the files. It doesn't necessarily mean that the archive is corrupted.

However, this doesn't mean that those files are infected (with Vundo, or something else). Actually, I never heard about any relation between "overcompressed" and an infection of any kind.

When a file is reported as overcompressed, it means that it just couldn't be scanned, just like the cases when a file is archived with a password.

Also, files located in <drive>\i386 are usually files belonging to OS installation kits, so they should be clean. If you want to be sure, please find that file (\i386\Apps\App001978\vcredist_x86_ENU.exe), put it in a password-protected archive (with the password infected), upload it on a file-sharing server and send me the download link through PM. I will forward it for analysis and send you the result.

Details:

http://forum.bitdefender.com/index.php?s=&...post&p=1222

http://forum.bitdefender.com/index.php?s=&...post&p=1223

Cris.

I am having this same problem. How do I access the file in order to upload it? When I attempt to access my D drive to try to locate the file, I get a Recovery Partition Warning and I am unable to go any further. I'd like to figure out how to do this so I can upload a file to you.

thanks

craig

could somebody try the following:

open a Command Prompt(found under accessories in the start menu)

type following followed by pressing the enter key:

copy \i386\Apps\App001978\vcredist_x86_ENU.exe %userprofile%\desktop\

you should see a message stating that 1 file was copied successfully.

now look on your desktop and you should find that file.

please upload the file as shown in the links Cris posted.

I have tried using the command prompt to do this multiple times. Every time I do, I get the following message - "The syntax of the command is incorrect."

Any thoughts? I did this from both c: and d: starting points multiple times, always with the same result.

The exact name of the uncompressed file in question for me is \i386\Apps\App001978\vcredist_x86_ENU.exe=](NO_NAME).

thx

After a deep 3 minute analysis, I'm certain the files are clean. Why? Because this is identical to the Visual C++ 2005 redistributable found on microsoft.com, which has already been analyzed in the past. The file is unnecessarily packed four times and this makes BitDefender refuse to scan it on demand. Only the outer two layers are scanned.

So files are clean.

Hello Robert1,

GLB files are Global Module in Basic Program. What exactly they contain and what is their purpose depends on what application uses them.

Please provide a BitDefender scan log to see exactly what is the situation.

Cris

First of all, make a Deep Scan with BitDefender. At the end of the scan, click Show log file. Your browser will open showing the scan log. Find the file that is written in the browser's address bar and upload it to your next post here.

Cris.

Hello twiller,

As far as I can find out, that file belongs to a Windows update released yesterday, which is a very good reason why the warning appeared today.

The files kept in C:\Windows\SoftwareDistribution\Download\ are all Windows Update installation kits. Once they are installed, they can be safely removed from your system. And, usually, they are automatically installed after they are downloaded. I say usually, because it depends on your Automatic Update settings. But, by default, they are installed immediately after download, or at the first system shutdown.

So, to be certain: restart your system, then move that file to another folder. If you don't have problems in the next week or so, you can delete the file.

Cris.

As stated MANY times before in this topic, this doesn't represent any kind of problem/issue/alert/whatever! It's just a normal log entry, just like the password-protected items. Those items do NOT represent any kind of threat to your system.

And, since all the above reports were about files which belonged official installers from to Windows or HP, these files are 99.99% clean. So please post here ONLY in case you have suspicious files, not official files. Thank you.

Cris.

I'm starting to have the same kind of problem. I'm getting this after a scan: \hp\apps\APP02109\src\MSWORKS\PSS\J4S89XNT.EXE=](NO_NAME) Over compressed Not scanned

BitDefender Log File

Product : BitDefender Antivirus 2009

Version : BitDefender UIScanner v.12

Scanning task : Deep System Scan

Log date : 20/06/2009 11:47:06 PM

Log path : C:\ProgramData\BitDefender\Desktop\Profiles\Logs\deep_scan\1245566826_1_02.xml

Scan Paths:Path 0000: C:\

Path 0001: \

Scan Options:Scan for viruses : Yes

Scan for adware : Yes

Scan for spyware : Yes

Scan for applications : Yes

Scan for dialers : Yes

Scan for rootkits : Yes

Target Selection Options:Scan registry keys : Yes

Scan cookies : Yes

Scan boot sectors : Yes

Scan memory processes : Yes

Scan archives : Yes

Scan runtime packers : Yes

Scan emails : Yes

Scan all files : Yes

Heuristic Scan : Yes

Scanned extensions :

Excluded extensions :

Target Processing:Default action for infected objects : Disinfect

Default action for suspicious objects : None

Default action for hidden objects : None

Default action for encrypted infected objects : None

Default action for encrypted suspicious objects : None

Default action for password-protected objects : Log as not scanned

Scan engines summaryNumber of virus signatures : 3439691

Archive plugins : 45

Email plugins : 6

Scan plugins : 13

System plugins : 5

Unpack plugins : 7

Overall scan summaryScanned items : 331175

Infected items : 0

Suspicious items : 0

Resolved items : 0

Unresolved items : 1

Password-protected items : 0

Overcompressed items : 1

Individual viruses found : 0

Scanned directories : 23372

Scanned boot sectors : 0

Scanned archives : 4763

Input-output errors : 0

Scan time : 01:21:56

Files per second : 67

Scanned processes summaryScanned : 62

Infected : 0

Scanned registry keys summaryScanned : 1225

Infected : 0

Scanned cookies summaryScanned : 0

Infected : 0

Objects that were not scanned:Object Name Reason Final Status

\hp\apps\APP02109\src\MSWORKS\PSS\J4S89XNT.EXE=](NO_NAME) Over compressed Not scanned

I suspect that the virus may be

1) I've come to know that the message ("overcompressed") is received when the size of the extracted files from an archive is larger than 30*(the_size_of_the_archive), so that's why I asked the 2nd question. Is this information true?

Yes, it's true.

2) 3) Is there any relation between "Overcompressed Items" and the option in the Bitdefender Real-Time Protection Setting "Don't Scan archive deeper than -----"?

No. Those options affect only the Realtime scanner.

3) And as you said above "this doesn't represent any kind of problem/issue/alert/whatever!...........Those items do NOT represent any kind of threat to your system." , so is it possible that these items added to some trusted zone like skipped items even though temporarily, to increase the scanning speed and thus reduce scan time.?

Yes, if you know and trust those files (and you are sure they are clean), you can add these items to exclusions (BitDefender Security Center (Expert Mode) -> Antivirus -> Exclusions). After that, they won't be scanned again.

Adding them to exclusions should be a fairly safe operation. Since BitDefender failed to extract the files, I kinda doubt that there is a malware that will try that hard to decompress those files, infect them and re-compress them. So if they were clean at the beginning, they should remain clean.

Cris.

Hello Zadok13,

Those files are clean. They are packed backups of the CBS.LOG file (which is stored in the same folder). Periodically, a new CBS.LOG file is created, and at that moment the old one is moved into a ”persistent” log (it's compressed using Microsoft's CAB and won't be modified anymore).

This log is used by internal system tools, such as System File Protection (SFC) or TrustedInstaller (during Windows Update installations).

Judging after the filenames you posted, they were created on 3, 5 and 7 of August, so only a few days ago (the first 8 digits represent the persistent log creation date). This might explain why these files didn't appear in any previous scans.

Why they appear in the scan? The logs are text files. Depending on their size and compression rate and method, the resulting archive can become very hard to extract. The result is that BitDefender omits to fully extract them, as it was already explained in the previous posts. There are no settings in BitDefender that can be changed so these files are scanned.

Cris.

Hello,

The official answer was provided here:

http://forum.bitdefender.com/index.php?sho...ost&p=57028

Thank you!