How Well Does Your AV Solution Detect Archived Malware?

Ran the test and seeing the same as you. Windows 10x64 1803 (Enterprise) and all 18 are blocked by doing the test manually.

 

Doing the tests manually, my system scored 17/18. It failed the Passworded ZIP test file.
Any suggestions on what to do about that?
7 x 64

 

Perfect, Trooper.

Hi Page42,
When you unpack the archive (the password are "infected" ), then you should see the content detected and removed.

 

This has to be the oddest test I've ever seen.

1). Regarding a given Security Solution and archived malware, that Security solution can protect by either:

A). detecting malware from within the archive,
B). detecting the malware on extraction
C). detecting the extracted malware file on run.

If either B or C are True, it is trivial if A is True as the security product will bag the malware before it will infect. And as I personally have Never Ever (never ever) have seen or heard of a security product that can detect malware from within an archive ONLY (and not on expansion or on run), in terms of actual protection does it really matter?

Essentially what Fortinet is telling us is that they have some sort of proprietary code that mimics stuff like tarsum, WinCryptHashers, etc to detect Hash values from within a host of compression routines. And by this method it acts like any other tradition anti-malware product- it will detect what it can detect (what it has a definition for).

(another possibility does exist- that somehow the archive is shunted off to FortiSandbox where the files would be expanded and run within the Sandbox where the determination of malicious intent would be done. But I don't think this is the case- see #3 below).

2). In Post #8 above, it was stated "However, unextracted scanning can also be useful in situations where the files contain no individual threats, but the archive itself is malicious. This is especially true for self-extracting archives".

Yes indeed, a self-extracting archive (sfx) can be malicious by either posing as a sfx file, or having a legitimate sfx file with a malware dropper coded in. But in either case these must be viewed as unique malware and as such have nothing to do with this test.

3). Password protected archives- Here I feel Fortinet treats us like we are ignorant. It goes without saying that Fortinet cannot "guess" the password, and thus must be implementing the same determination of checksum that is used for files contained within regular archives. Also note that for a password protected archive to do anything the password must be input, thus reverting to a regular archive.

 

I've seen self extracting archives mentioned a couple of times. Remember, self extracting archives are almost always going to have a ".exe" extension and for almost all purposes these are executable files more than they are archives. Almost every installer ever made is compressed, so it is an executable file more than it is an archive. For anyone reading that is not greatly experienced on the subject, zip files do not magically extract themselves. Also, if there is concern that an archive with malicious code can be extracted by a malicious program for malicious purposes, once your have reached the point that the program doing the extracting is on your PC you are already past the point where it matters what is in the archive.

 

Web filtering, my girl.

Intercept the download in the network buffer, sandbox it, unencrypt if from HTTPS web site or POPS/IMAPS e-mail, and extract/run the archive.

 

Itman- But web filtering would only apply if the archive was downloaded. The checksum method has broader applications. Also, as the various products (including Forti) have other protection modalities in place, the extraction and running of an archive in a sandbox first could be considered overkill as that further protection would come into play on actual file run. And as I stated above, the sandbox extraction method would make it different from the detection routine used for password protected archives.

Jack- Yeah, a sfx archive does not really pertain to this discussion. I brought it up only as it was referenced in an earlier post. And a fun fact- even though the following addition would also change an sfx file to a "sfx file plus", one can tack on a script to run a file immediately after that file is extracted.

 

Yeah, I wasn't picking on you but mentioned it because it had appeared in more than 1 post. You can do amazing things with a SFX file, I have written entire software patches and unattended installers with them that can run batch files or vbscript (or whatever). But as we agree, these are executable files that are beyond the scope of this. Just making points to lurkers that may be learning.

 

I ran the test again selecting the "Run All Tests" option. Using TCPView, I observed the files being received in my network buffer; most are 1 MB+. So as far as I am concerned, the files are indeed being downloaded.

 

Also archives can be extracted in memory. Here's a utility to do so: http://www.artpol-software.com/ziparchive/KB/0610231924.aspx

Also;

Extracting a zipfile to memory?
https://stackoverflow.com/questions/10908877/extracting-a-zipfile-to-memory

 

Itman- I now understand what you meant. I took a broader view- when I read about the purpose of this test it was stated first that it:

"Analyzes how well your current security detects an EICAR[1] test sample virus pattern, stand-alone and compressed in different formats"

For me, this indicates that the protection afforded by the Forti appliance is without regard to the source (web, email, USB, etc) and is done locally. For Forti's sake I hope this is the case as a great many Enterprise Customers may take umbrage for archives containing sensitive materials being extracted in somebody's Cloud.