Scanning password protected .zip files
I found this on the NTBUGTRAQ mailing list from a Michael Maloney. I don't know the validity of this, but it seemed interesting enough to post. I would be interested in hearing whether or not this works.
“With the release of Beagle.H and Beagle.I, virus writers started enclosing the infected files within password protected ZIP files. This negated the ability of A/V software to view the enclosed file within.
I've found that the A/V software does see the file within the ZIP archive, but cannot process it because it does not recognize the extension. When the archive is password protected, the file enclosed receives a "+" character at the end of the extension (ie test.exe becomes test.exe+) Since the A/V software doesn't recognize that kind of extension, it lets it pass thru.
I found that by adding the "+" character to file extensions that are blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file extension and perform the necessary actions on it.
I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it should work on the other A/V software programs.”
Comments
- Anonymous
March 03, 2004
The comment has been removed - Anonymous
March 03, 2004
Like I said, I haven't tested this yet, since I don't have access to the AV software to do this with. I have forwarded your question to the poster of the original comment to see what he says. - Anonymous
March 03, 2004
Ok, here is what happens. The scanner can open any zip file even if it doesn't have the password to view the extensions. Since you may be blocking .vbs, it might make sense to block .vbs+ as well. That was the whole point from the post.
Comments from Mike Maloney:
"The AV software can view the file within the password protected ZIP, it just cannot extract it for scanning. Once it looks at the file and see's that there is a file with the extension it is supposed to block, it strips the zip file from the email.
Try it on your desktop.. Create a password protected ZIP file, then try to open it. You can see the contents of the ZIP without entering the password, but cannot extract it from the archive." - Anonymous
March 04, 2004
The comment has been removed - Anonymous
March 04, 2004
Ok this isn't working for me. I am using Network Associates Groupsheild and I added to my block extensions all my extension I have blocked now and added the + after it and it still isn't pulling the .zip file. - Anonymous
March 04, 2004
If you want security use PGP or similar encryption and pack it into a self extractor (most encryption tools have that option - they compress too). - Anonymous
April 04, 2004
aaa - Anonymous
April 04, 2004
ececefv - Anonymous
July 19, 2004
ww