But the author doesn't test to see what happens when the user tries to do anything with the rar. presumably people have to extract content to be able to use it - wouldn't that be the point when the anti virus spots the threat?
I thought it was well understood that users should scan content near the point of use rather than the point of download (later, rather than sooner) to allow time for definitions to be distributed and incorporated into av products.
A virus isn't useful until it's extracted anyway.
Just because your antivirus scan doesn't tell you that it's a virus, doesn't mean the file isn't infected. Always, try uploading the file to a cloud based solution like http://virustotal.com which will return scan results from several anti-virus engines. Even if the detection ratio is as low as 2-3, you should be extremely cautious.
Attackers on the internet generally store Viruses inside a container like RAR or Zip and password-protect them. And they supply the password separately. This can be seen in forums, etc. where there is a lot of traffic. The logic behind is that when you run a scan against a virus package hiding behind a password-protected container like RAR or Zip, the anti-virus engine will fail to determine that the file is infected and some engines will even tell you it's clean! Always extract these files, scan it, or upload to a cloud scanning solution and then run it on a sandbox environment to be safe.
I have been a victim of several such attacks in the past (several years back) wherein these files were sent to me as Email attachments and the password was mentioned in the email body as something like "Hurry, open this, run this..etc". And even many popular emails vendors like Gmail fail to detect such files (even till date). Just don't fall for it! Maybe that free smiley software isn't worth it, after all?
For my fellow Windows users, there is an excellent free anti-virus that comes with a Virtual Kiosk and Sandbox mode (meaning, if you run anything inside a sandbox, even a virus won't be able to affect your computer) provided by the popular security guys Comodo:
The only thing worse than running untrusted code on your box is giving other people on the internet a false sense of security that its somehow OK to do so if you install magical snake oil.
Advising people not to install an A/V package because of <insert youtube video here> is even more dangerous than selling snake oil, dude.
That is a pretty bold, and demonstratively false statement. You should retract it.
One of the things about scanning within archive files is that it's quite IO intensive and by default isn't enabled for most AV installs. I very much doubt the reason for why it's stressful from an IO perspective is lost on HN readers, but one thing that is overlooked in the comments and the article itself is that by default most operating systems do not support RAR compression and really what is mainstream is ZIP on Windows, and Tarballs and Stuffit files on Mac.
The default settings in most AV software are good enough for situations as the author wrote, even if they're on the list that didn't successfully scan within the archive. If your scanner is scanning on write, extracting the archive will in fact cause it to trip regardless of the file's hidden or lack there of attribute.
RAR is a notable exception as it does have the ability to execute code as it is processed through a virtual machine, but at the same time a number of AV engines are geared towards situations like this using things like suspicious behaviour detection and whatnot. Those however are not necessarily enabled by default.
I think that the author's beliefs are a bit overblown here. What really matters is what happens after the RAR file is extracted, not while it's more or less safely packed inside.
60% of antivirus programs missed viruses hidden in an alternate data stream of a file inside a rar archive, not the simple case of a virus in a rar file.
In fact the archive search is the single reason why I never do full disk scans voluntarily. They take ages and need tons of resources... Most of the times such a full disk scan is stuff on decompressing some archive.