Alert and/or Block files inside more then X zipped (zip inside a zip inside a zip..)
Updated: 04 Jan 2010 | 4 comments
Status:
Reviewed
Today,
you can define how much the anti-virus gets inside a zip file (up to X times). but if the zip is inside a larger amount of zip's then the anti-virus transfers it like is OK,
and it could be malicious (refer to en.wikipedia.org/wiki/Zip_bomb for example).
I want to be alerted when a file is zipped for more then X times (could be 10 could be 100) and I want to be able to block zip files that are zipped for more then X times.
Its a serious threat that isn't dealt by any Security company.
It could also refer to Vontu DLP with its file scanning engine (it could be a way to extract confidential data outside the organization)
It could also refer to Bright Mail when it receives malicious mails.
Hope to see it soon.
Thanks.
Comments
Something you may not have thought of.
Files have to be extracted from an archive before they can be executed.
No matter how many layers deep they are they will be extracted before they can be run and Autoprotect will catch them.
What you have described would
What you have described would be an unscannable file.
You can modify the action to take on those types of files in the Administration tab under Groups and Default. Check the Virus tab and choose the rule you want to use for 'Unscannable inbound email message policy:'
Sorry, these steps are for
Sorry, these steps are for the Brightmail Gateway Appliance. It differs depending on which product you are using but all of our mail security products have this feature. It is called Scan Error on Mail Security for Domino.
Symantec Mail Security for
Symantec Mail Security for Microsoft Exchange does in fact have a mechanism for dealing with excessive nested zip files. I would assume other products do as well, but I can't say that 100% as SMSMSE is the product I am most familiar with. A file with more nested files than defined by the administrator would be treated as "unscannable" and could simply be logged, or if you like, quarantined/deleted.
Would you like to reply?
Login or Register to post your comment.