dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
1

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni to JohnInSJ

MVM

to JohnInSJ

Re: Researchers warn of malware hidden in .zip files

said by JohnInSJ:

This is why such AVs (ClamAV, and several that run under Exchange being a few I have direct experience with) will simply quarantine and/or block any emails
block anything password protected

Cudni

Blue2
Premium Member
join:2004-04-14
France

Blue2

Premium Member

said by Cudni:

block anything password protected

Cudni
And that's the solution that I'm questioning. If you say "don't open the door to anyone who rings the doorbell", then why have doorbells?

I'm just assuming that password protecting zip archives isn't always for nefarious purposes, and if so, why isn't there a way to scan them before opening them, if you know the password? Is the only way to remove password protection from archives through the process of actually opening the file? And if so, why?

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

I was talking about the business surround where it is more expedient to block anything that can't be checked until it can be checked (in whatever manner). Just a policy at some companies

Cudni

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to Blue2

Premium Member

to Blue2
said by Blue2:

said by Cudni:

block anything password protected
And that's the solution that I'm questioning. If you say "don't open the door to anyone who rings the doorbell", then why have doorbells?
Because Email is a festering cesspool of malware. That's a sad fact. If we train people to distrust the common infection vectors, then perhaps they have a prayer of going more then 5 minutes out of the box before getting infected.

Orthogonal to that, zip files are great. So is using them to exchange many files, and even protecting that exchange with a password. So, as other suggested, post it up somewhere in the cloud and email a URL. Then the receiver can pull it down and decide how to proceed (assuming web access isn't filtered via content filters and blockers as well.)

Emailing password protected zip files are usually nuked at the door, or always so in corporate settings. These days even renaming the file to something less dangerous sounding (like .jpg) will fail, since the AV scanners can usually determine the actual file type, even if they cannot open the archive.

Hytech Act
@cox.net

Hytech Act

Anon

Password protected encrypted (PGP and otherwise) zip files are common in the health care and health insurance sectors. Ftp is good for regular exchanges, but email is how ad hoc exchanges take place for better or worse. Moreover, blocking and other strategies that make technology useless are simple minded scorched earth solutions to what in reality is a minor and manageable risk. It misses the point of having the technology in the first place.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Hytech Act :

Password protected encrypted (PGP and otherwise) zip files are common in the health care and health insurance sectors.
This is really much different than a password protected zip archive.
It's actually encryption at it's best.
The handling rules should reflect the differences between them.
The PGP zip is going to guarantee who the sender is via the key exchange & that the contents haven't been altered.
It's the way all archives would change hands in a perfect world.

Blue2
Premium Member
join:2004-04-14
France

1 edit

Blue2 to JohnInSJ

Premium Member

to JohnInSJ
said by JohnInSJ:

If we train people to distrust the common infection vectors, then perhaps they have a prayer of going more then 5 minutes out of the box before getting infected.
That "common infection vector" is called attachments, not password-protected attachments. And so I return to my original question: Why does zip and rar permit password protection if this means that you implicitly can't trust what the contents are since you can't scan it before executing it? I can imagine plenty of scenarios where this would happen. Here's a simple one: I password protect a zip so my kids/wife/co-worker/etc. can't get at it. Now, when I find it in my files, how do I know that it is safe to open?

I believe like msec and Mele pointed out, your resident scanner will catch it when you enter the password and try to open the zip. In that case, being password protected does NOT make it ANY MORE dangerous, since your resident scanner has the same likelihood of stopping it as if it would were it NOT password protected.

And surely having to resort to cloud solutions isn't that practical unless you have faith in the cloud.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

said by Blue2:

said by JohnInSJ:

If we train people to distrust the common infection vectors, then perhaps they have a prayer of going more then 5 minutes out of the box before getting infected.
That "common infection vector" is called attachments, not password-protected attachments. And so I return to my original question: Why does zip and rar permit password protection if this means that you implicitly can't trust what the contents are since you can't scan it before executing it?
I return to my original answer - people now assume that the common infection vector of email attachments is no longer a vector as long as their AV scans all attachments, and it seems like the article is saying AVs can't scan password protected archives (zip, etc) - so that attachment you got via email could have hidden malware in it.

Your question is a philosophical one - why support hyperlink navigation if some links lead to malware? Why have active web content if some of that content is malicious?
quote:
And surely having to resort to cloud solutions isn't that practical unless you have faith in the cloud.
All security comes down to faith at some point. Or trust, if you prefer that word over faith.

Blue2
Premium Member
join:2004-04-14
France

1 recommendation

Blue2

Premium Member

said by JohnInSJ:

Your question is a philosophical one - why support hyperlink navigation if some links lead to malware? Why have active web content if some of that content is malicious?
No, it isn't. I don't get this article and I don't think I'm alone in that regard. Having malware hidden in a password protected archive does not seem to make it much different than any other file.

The question I raised, which perhaps eluded you, was simply: how is malware in a password-protected zip archive DIFFERENT than malware in a NON password-protected zip archive? If the AV scanner would have caught it in the NON password-protected archive, why would the AV scanner have any less chance of catching it when you insert the password and try to unpack the archive? (That's hardly philosophical.)

Your hyperlink analogy is rather ridiculous. Cudni stated "block anything password protected" and I suggested that then there would be NO point to having password-protection as a feature in archives. It's akin to saying "Don't open the door to anyone who rings the doorbell". In that case, why have doorbells? Your equivalent analogy should therefore be "why have hyperlink navigation if ALL links lead to malware?" (And I'd agree, why indeed.)

The article Cudni cited seems somewhat misleading: ""Antivirus software can't see the hidden payload. Once the file is opened the payload (or malware) is on the system." That implies that once the ARCHIVE is opened, the payload is on the system. But I believe that they mean that the AV can't scan the password-protected archive, but it WILL scan it once it is opened. So what's the difference?
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

said by Blue2:

The article Cudni cited seems somewhat misleading: ""Antivirus software can't see the hidden payload. Once the file is opened the payload (or malware) is on the system." That implies that once the ARCHIVE is opened, the payload is on the system. But I believe that they mean that the AV can't scan the password-protected archive, but it WILL scan it once it is opened. So what's the difference?
I think that article is trying to say that there are certain loopholes in ZIP format that malware writers are taking advantage of to hide malware that AV cannot see because the format is now nonstandard.

The article is badly written and a good example of why I never visit Cnet except from a link in a thread here. I don't like Cnet.