This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antivirus: Scan malicious code in double zip archives ?

We received today a double Zip compressed archive file with malicious code by email.
The file was not recognized by the UTM as malicious code.
Scans the UTM ever double packed archive files ? We have activated the 'Dual Scan' option, but there are no option for the 'scan depth' of an archive file.

This thread was automatically locked due to age.

0 BAlfson over 10 years ago

Andi, the person that opened that zip needs to learn a bit more caution. I can't imagine anyone being foolish enough to open a suspiciously double-zipped file. You do have the option to 'Quarantine unscannable and encrypted content', but that requires more effort by the administrator - hopefully, your manager understands that.

Then again, if this is at home and one of your kids got this, my heart goes out to the child. I'd be glad to take a look at the email headers and report the criminal in that case.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 teched_01 over 10 years ago

This information is for the web-proxy scanner. Similar testing could be done for email.

I dusted off some previous informal nested zip testing and it looks like:
9.113, Avira engine: detected EICAR at 100 layers, download passed at 101.
9.113, Sophos engine: detected EICAR at 10 layers, download passed at 11.
Cancel
Vote Up 0 Vote Down

Cancel
0 AndiS over 10 years ago

It seems that the engine can examine nested zip attachments.

I have sent in the last week received message to my external email address and then a virus in the file has been detected. This was not recognized as they are received.
Malware (Troj/Agent-AIVM)
Cancel
Vote Up 0 Vote Down

Cancel