Many antivirus software come up with the warning “This file is a decompression bomb” when they are scanning your computer. What this error message means is that your antivirus software has come across a file which if decompressed, will never be able to decompress completely and will most likely cause your system to freeze.
What is File Compression?
Before we discuss what a decompression bomb is and what are its mechanics, let’s look at the basics of file compression. File compression refers to the action by the file compression algorithm to reduce the size of the file. For example, a movie of size 700MB will be converted to a 500MB RAR file. In order to reduce the file, the file compression algorithm must first read the entire file and analyze it.
As you may have heard, the entire computer is made of up a series of 0s and 1s. This is called a binary code. The principle behind which compression algorithms run is that they search for similarities in the binary code of the file.
We often rely on patterns in our daily lives ourselves. For instance, if you had to convey the number ‘111000’ to a friend, you will say three 1s and three 0’s. As the number increases, the spoken form will remain of almost the same length.
A binary code fragment such as 111111000000 contains two sets of repeating numbers. To make this specific fragment smaller, the algorithm will rewrite the fragment as 6×1 6×0. Thus a fragment that was first consuming a space of 12 digits, is now reduced to 6.
What are the mechanics of a Decompression Bomb?
Decompression bombs contain a series of codes that generate extremely long patterns. For example, it will be like telling your friend to write down a 1 followed by a trillion zeroes. Your friend might start writing zero’s from scratch while the number you actually meant consisted of 7 digits.
Similarly, decompression bombs might be of size 5KB but they might generate extremely large files (for example 10TB). There are a thousand GB’s present in 1TB. This is a very low estimate; in reality, the size goes up to petabytes. This process is similar to the halting problem we encounter in the field of computing. You never know when to stop the processing.
What are the effects of opening as a Decompression Bomb?
If your antivirus software starting scanning for .zip files for decompression bombs without a good algorithm, it could hang and change its state to ‘not responding’. Similarly, since nowadays operating systems also have the capability to open zipped files, your operating system can also damage itself when trying to open decompression bombs and cause serious damage to your system.
If you open a file labeled as a decompression bomb, and it indeed is, your system will hang instantly and eventually crash and cause data loss. Many viruses and malware exploit the principle of decompression bombs and infect your computer this way.
What if the file labeled as not a Decompression Bomb (False alarm)?
There are also many instances where the file labeled as a decompression bomb by the antivirus is not, in reality, a bomb. It is possible that it contains a random sequence of numbers written in such a way that the antivirus software thinks it is a decompression bomb.
If you want to make sure that a file is not a decompression bomb, you should scan your computer several times using different antivirus software (Malwarebytes, AVG, Panda, Norton, etc.). If it indeed is, these antivirus systems will inform you accordingly.
There are many cases that antivirus software gives a false alarm. False alarm in antivirus terminology means that the file labeled a threat to your system is not actually a threat. You can Google the file name and search for any people reporting the problem. If you are absolutely sure that the file isn’t a bomb, you can exclude it from antivirus search and operate it as you wish.
You can also run Microsoft Safety Scanner on your computer. Microsoft Safety Scanner is a scan tool designed to find and remove malware from your computer. Do note that this software is not a substitute for your regular antivirus but it does provide you with the latest virus definitions out there and may guide us in this case.