Gerod Serafin's WebLog

Helping to keep large organizations' e-mail running

Blogs

Scanning password protected .zip files

  • Comments 9
  • Likes

I found this on the NTBUGTRAQ mailing list from a Michael Maloney.  I don't know the validity of this, but it seemed interesting enough to post.  I would be interested in hearing whether or not this works.

With the release of Beagle.H and Beagle.I, virus writers started enclosing the infected files within password protected ZIP files. This negated the ability of A/V software to view the enclosed file within.

I've found that the A/V software does see the file within the ZIP archive, but cannot process it because it does not recognize the extension. When the archive is password protected, the file enclosed receives a "+" character at the end of the extension (ie test.exe becomes test.exe+) Since the A/V software doesn't recognize that kind of extension, it lets it pass thru.

I found that by adding the "+" character to file extensions that are blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file extension and perform the necessary actions on it.

I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it should work on the other A/V software programs.”

Comments
  • How does the anti-virus software unzip the file to check for viruses when it still doesn't know the password? Is it just looking for file name names that it knows are dangerous?

  • Like I said, I haven't tested this yet, since I don't have access to the AV software to do this with. I have forwarded your question to the poster of the original comment to see what he says.

  • Ok, here is what happens. The scanner can open any zip file even if it doesn't have the password to view the extensions. Since you may be blocking .vbs, it might make sense to block .vbs+ as well. That was the whole point from the post. <br> <br>Comments from Mike Maloney: <br> <br>&quot;The AV software can view the file within the password protected ZIP, it just cannot extract it for scanning. Once it looks at the file and see's that there is a file with the extension it is supposed to block, it strips the zip file from the email. <br> <br>Try it on your desktop.. Create a password protected ZIP file, then try to open it. You can see the contents of the ZIP without entering the password, but cannot extract it from the archive.&quot;

  • You guys rock I have been racking my brain on this for two days trying to figure out why my updated dat files weren't picking this virus up. I have added the + to all my extension that I block. Thanks everyone.

  • Ok this isn't working for me. I am using Network Associates Groupsheild and I added to my block extensions all my extension I have blocked now and added the + after it and it still isn't pulling the .zip file.

  • If you want security use PGP or similar encryption and pack it into a self extractor (most encryption tools have that option - they compress too). <br>

  • aaa

  • ececefv

  • ww