Overview
There are many possible ways to create a corrupted archive file that remains readable to some unpacking tools, while not being readable by other tools, including endpoint protection products in general. These endpoint protection products will only be able to detect malware hidden inside corrupted archives when the contents of the archive are unpacked by the 3rd party tool using on-access scanning technology.
We would like to thank Thierry Zoller for reporting such a case in the Sophos AV engine with a specially crafted ZIP file.
There is no security impact on systems running a Sophos Endpoint Protection Product, as the malware will be detected at a later point in the attack chain (ie when it is written to disk, or attempts to execute). However, there is a potential impact on gateway (Firewall, etc) products, where the basic assumption is that only safe files should be allowed through.
An internal review by Sophos determined that the default configuration of the SG UTM, up to version 9.7, was not set to block or quarantine corrupted or otherwise unscannable archives. The default configuration has been changed in SG UTM 9.7 MR1. All other Sophos gateway products would block or quarantine corrupted or unscannable archives appropriately, and are therefore not impacted.
Impact
Malware in hidden in corrupted archives, which would be detectable otherwise, may traverse a gateway that is not configured to block or quarantine them. Systems behind the gateway that do not run any endpoint protection software are potentially at risk of executing the malware.
Remediation
- SG UTM 9.7 MR1
What To Do
Sophos recommends all firewall administrators, especially those using SG UTM, to review their configuration settings about blocking or quarantining corrupt or unscannable content, and changing it to "block," unless explicitly required otherwise.
Sophos also recommends that all endpoints and servers run appropriate protection software as another layer of defense in case a corrupt or unscannable archive arrives in a manner where it does not traverse a gateway product.