Password-Protected Archives

Discussion in 'other anti-virus software' started by Gargoyle, Jun 5, 2007.

Thread Status:
Not open for further replies.
  1. Gargoyle

    Gargoyle Registered Member

    Joined:
    Jun 2, 2007
    Posts:
    67
    The only anti-virus program that I found that can scan password protected archives (such as .rar files) is Kaspersky. Nod32 and Avira do not. Problem with Kaspersky is that the scan sometimes freezes and never completes. Are there any good anti-virus program out there that scans password protected archives?
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Why does it matter? You will need to open and extract the archive anyway for the malware to infect your PC....
     
  3. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    If you want to wait a few years for your AV to break the AES encryption of your RAR archives.... RAR uses strong encryption, so unless you use really stupid passwords, no AV will be able to scan the contents.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If this was true and KAV was actually using bruteforce to guess the password then it might take years to decompress such files :eek:
     
  5. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    There's an option in KAV for the user to choose whether they want to scan password-protected archives, and for everyone's info: the real way KAV does it is to ask the user to input the password when it comes across such archives.
     
  6. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    true, but it has some "password protected exe" detection for single exe files in password protected zips. (of course not every zip is flagged)
     
  7. Technic

    Technic Registered Member

    Joined:
    Aug 31, 2005
    Posts:
    428


    I think he meant KAV will warn about password protected file while DOWNLOADING. Sounds like a good feature. ;)
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    On a decent CPU (1,5GHz should be enough) should be enough to quickly brute force most of email worms that were usually using just 4 digit numerical passwords.
     
  9. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    If you're running the antivirus on a (mail) server, it may get into troubles in case of a widespread infection... lot of bruteforcing to do ;)
    (I believe some Beagle variants also used 5, or maybe even 6 digits.)
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Once a malware author discovers that a particular antivirus does that he will use a more complex password for future variants. For instance, some Zlob droppers use passwords consisting of about 15 characters as I recall.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Hi!
    Probably a stupid question: since the zipped malware need to be opened to infect systems and since the password is usually included in the e-mail, wouldn't it, in principle, very easy to locate it and used by the AV scanner?

    Fax
     
  12. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    Not if the password is attached in a (slightly distorted) image...
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Yep good point... like spam.

    Is this the way they currently doing it? I assume it should be easy for the reader to recognise the password, otherwise it may just be too suspicious and the e-mail simply dumped.

    By the way, with images they will likely be filtered out by spam engines....

    Fax
     
  14. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Problem with that is, are all the victims willing to type that long password?
    Although ppl tend to confirm all the stupidity there is...
     
  15. Gargoyle

    Gargoyle Registered Member

    Joined:
    Jun 2, 2007
    Posts:
    67
    People are taking things out of context so let me clarify.

    I download password protected archives off of websites like Rapidshare and Megaupload. I will be given a password to unlock these archives and as these files are uploaded by total strangers, I need to know if they are free from malware. Now, Kaspersky is not the only piece of security software on my computer but it is always best to add an extra layer of protection.

    As for the non-Kaspersky users, there is an option to scan these archives as long as you entered in a password before doing so. No cracking and whatnot that some of you keep on mentioning.

    And, since no one has answered my only question, I will have to assume there isn't any anti-virus that scan password-protected archives.
     
  16. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    We did answered you. Antiviruses do use certain methods to unpack password protected archives. I know that Kaspersky and BitDefender brute forced and/or read the password from email body to unpack such archives. That was back in era of Beagle and My Doom if you still remember those days. Trying to unpack ALL archives with such method is simply impossible. Firstly you don't always have password to be read (limited to certain emails only) and second, brute-forcing all archives is a time and processing power wasting thing.
    Doing it on slow processors is impossible and will take ages even on most powerful quad core Core 2 Duo CPU. You can quickly brute force simple passwords (for example only numerical passwords up to lets say 10 characters long) but trying to brute force complex passwords that are alpha-numerical or full ASCII space can take awful long with just 6-8 characters, brute forcing full ASCII longer than 10 chars is just not economical for personal computer as it would take like 1-2 years to break it on a 2,5-3GHz x86 CPU which should be the most common today. And even then success rate isn't 100% if you placed certain restrictions to speed up that. So to make long story short, they're brute forcing it only on special ocasions and even that with a very good reason and special rules to speed up the process. Otherwise it's just not worth it.
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That's the behaviour I've observed with some Zlobs samples at Virustotal, NOD32 reports them as "the file is probably password protected"
     
  18. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    You simply can't be infected by just decompressing the file....
    After you have your file(s) extracted then you can scan with whatever scanner...

    Or I am missing something?

    Fax
     
  19. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    totally agree, never understood the need for this.
     
  20. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Ever heard of gateways, email servers, transitional data transfers (you get the data but you don't extract it, but pass directly to lets say your friend)? You need archive scanning for this.
     
  21. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Yes, but I didn't think the OP was talking from a gateway perspective here. :)
     
  22. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Transitional data transfers are quiet common in home users environment.
     
  23. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Kaspersky can't scan .rar archives that's protected with a password.
    No AV can unless using brute which would take ages.

    Old zip archives is another thing as they use the most crappy password protection known to man.
     
  24. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    Heh, certainly not ;)
    I mean, the old ZIP encryption is certainly not very strong, but compared to ARJ, for example, it's bulletproof :D
    And many authors implemented even much worse...
     
Loading...
Thread Status:
Not open for further replies.