Microsoft is scanning the inside of password-protected zip files for malware

Microsoft is scanning the inside of password-protected zip files for malware

 

Thanks for sharing. It is disturbing to read that Microsoft is stealing user passwords sent over its email system, or simply trying to hack or brute force users password protected data.

It is hilarious reading the comments on the linked article. Most comments are blaming the researcher for putting a malware infected password protected zipped archive in the cloud, as if malware can escape a zipped archive and infect something, and they are congratulating Microsoft for detecting and removing the malware! They seemed to have missed the point that Microsoft just stole a password and hacked into someone's password protected data!

I myself never put anything sensitive in the cloud, and advise others to do the same. Once you put something in the cloud, it is no longer private, no matter what protection is applied to it.

 

I couldn't agree more @Raza0007

 

Another who agrees with @Raza0007

It is disturbing. Yes the comments were amusing. It seems the malware analyst are being made out as the bad guys.

 

I don't agree. Some encryption methods are really secure, especially symmetric encryption. And not all data needs super strong protection.
I recently send 7zip via GDrive cloud file with ticket for concert by e-mailing link then send password by other channel (Facebook message). I am by no means implying that Facebook is secure second channel (for that use at least Signal, or better meet in person). I just acknowledged that this protection is good enough for this case.
While cloud is privacy problem, I want to reassure that good , local encryption methods (especially symmetric) combined with secure exchange of passwords is something that people can rely on.

 

I'll have to go with M$ on this.

 

I don't think anyone should be looking at my passworded files, no matter what is in them. I find it disturbing that they are trying to do so. And more disturbing if they are able to do so reliably. I guess if I want to keep something private it will have to stay on external storage. If I didn't work in IT I'd probably be using Linux by now.

 

So what's the big deal?

Select AV's have been scanning password protected archives for some time. Fortinet had a web site, "Test Your Metal;" the site no longer available, that performed 15 scanning tests against various archive types in regards to your installed AV solution. One of those types was a password protected archive. Fortinet claimed they can scan password protected archives plus I believe, Kaspersky, but can't remember all the AV's listed that could.

 

Yeah nothing new or groundbreaking. It is quite notable that, and i suppose MS stands front & center, that ransomware attacks seem to be fracturing into a decline. Oh there are plenty quite formidable i imagine in active targeted use by bad actors, but defensive measures seem to be staving off onslaughts which were all too common and numerous.

MS scanning pw protected archives is just another addition for them that Windows users better get use to if that's their personal AV preference

 

Not everybody uses AV. Those who do may probably opt out of data sharing, especially paid AVs. How do I opt out from that cloud scanning?

 

You have got be kidding!

Which AV's can scan inside a password protected archive? This would defeat the purpose of password protecting an archive in the first place! Scanning inside an archive that is protected with a custom user set password is impossible, unless a password is supplied during scanning.

Could you perhaps be confusing this with SSL or TLS encryption? Those are negotiated between a browser and a server, and yes, AV's can scan SSL and TLS encrypted packets as they have access to the decryption key.

Here are four links to some leading AV vendors that I was able to pull in a hurry, and they clearly state they cannot scan inside a password protected archive. All other AV's should say the same.

Bitdefender
https://www.bitdefender.com/consumer/support/answer/1976/

Trend Micro
https://success.trendmicro.com/dcx/s/solution/1101602-detecting-attached-password-protected-files-in-interscan-messaging-security?language=en_US&sfdcIFrameOrigin=null

Eset
https://forum.eset.com/topic/27738-scan-password-protected-files/

Kaspersky
https://support.kaspersky.com/KTS/21.2/en-US/199493.htm


What Microsoft is doing is they are stealing user's passwords without their consent, and hacking into private archives. Which is very disturbing!

 

Don't use anything that is Microsoft cloud based.

 

Here's how to do it in Fortinet: https://community.fortinet.com/t5/F...n-Password-Protected-Archive-File/ta-p/214500 .

 

So they are doing just what MS did. They intercept the password sent separately through email and only then they can decrypt the archive. Or their client tries to guess the password. If they do not have the password, they cannot decrypt or see inside a password protected archive.

 

Checkpoint also: https://support.checkpoint.com/results/sk/sk112821 . As such, I assume there are other commercial security solutions that can do likewise.

 

At least Fortinet is asking for permission.

 

So here again Checkpoint is trying to randomly guess/break the password using a dictionary attack. It is also limited to English characters in the password file. So it should only work on passwords like Jane or John or Jerry etc. They say clearly that if the password cannot be guessed, the archive cannot be read, and is then marked as malware and quarantined.

No software can and should be able to read a proper-password protected archive.

 

Yes, I think that article is meant for admins to configure their email clients to be able to deal with password protected archives.

 

Unfortunately, it is not uncommon lately that bad things are justified to people by saying that they are actually done for their own good. And the even greater tragedy is that many people believe it and thank them for it.

 

I may not use it. It doesn't change that recipients or senders can...
AVs have various options to opt-out and if you don't opt out some scans are only done locally.
As much as I don't like AVs, cloud takes privacy invasion to a whole new level.
No data is truly private on cloud without using strong encryption and exchanging credentials in thoughtful way. In other words one needs to resist service providers on a daily basis...

 

Good article here: hxxps://sansorg.egnyte.com/dl/Lw51vSbooP on using password cracking tools to read password protected files.

 

Agreed! There are no circumstances where I want a vendor examining the contents of files I have encrypted. I may have private financial data in there. If they are even capable of doing this then it was pointless to password it in the first place. We've already seen that we can't trust them to not upload our data.

 

Interesting article. Password cracking tools only work on weak passwords, or passwords randomized using old/obsolete hashing algorithms like SHA-1. Brute force attacks also only work on obsolete or weak encryption standards. If someone is protecting their data using any of these methods, they deserve to be hacked and should not complain.

But the point of the original article was that a researcher stored their password protected archive, (I am assuming encrypted archive), on Microsoft SharePoint server and emailed their colleagues the password. Microsoft intercepted the email, obtained the password without consent, decrypted the archive, discovered malware inside, and deleted the archive, all done supposedly in service of the greater good. Microsoft did not crack the password, or brute force the encryption, they committed theft by stealing someone's password without consent.

This is what is disturbing.

 

Exactly, it is like a bank going through the contents of your safety deposit box, without your consent, to look for contraband. A noble aim sure, but illegal without a warrant from law enforcement.

 

Can't find flaws in your logic.
Thanks for wrapping this up in a few sentences.