Password-Protected Archives

The only anti-virus program that I found that can scan password protected archives (such as .rar files) is Kaspersky. Nod32 and Avira do not. Problem with Kaspersky is that the scan sometimes freezes and never completes. Are there any good anti-virus program out there that scans password protected archives?

 

Why does it matter? You will need to open and extract the archive anyway for the malware to infect your PC....

 

If you want to wait a few years for your AV to break the AES encryption of your RAR archives.... RAR uses strong encryption, so unless you use really stupid passwords, no AV will be able to scan the contents.

 

If this was true and KAV was actually using bruteforce to guess the password then it might take years to decompress such files

 

There's an option in KAV for the user to choose whether they want to scan password-protected archives, and for everyone's info: the real way KAV does it is to ask the user to input the password when it comes across such archives.

 

true, but it has some "password protected exe" detection for single exe files in password protected zips. (of course not every zip is flagged)

 

I think he meant KAV will warn about password protected file while DOWNLOADING. Sounds like a good feature.

 

On a decent CPU (1,5GHz should be enough) should be enough to quickly brute force most of email worms that were usually using just 4 digit numerical passwords.

 

If you're running the antivirus on a (mail) server, it may get into troubles in case of a widespread infection... lot of bruteforcing to do
(I believe some Beagle variants also used 5, or maybe even 6 digits.)

 

Once a malware author discovers that a particular antivirus does that he will use a more complex password for future variants. For instance, some Zlob droppers use passwords consisting of about 15 characters as I recall.

 

Hi!
Probably a stupid question: since the zipped malware need to be opened to infect systems and since the password is usually included in the e-mail, wouldn't it, in principle, very easy to locate it and used by the AV scanner?

Fax

 

Not if the password is attached in a (slightly distorted) image...

 

Yep good point... like spam.

Is this the way they currently doing it? I assume it should be easy for the reader to recognise the password, otherwise it may just be too suspicious and the e-mail simply dumped.

By the way, with images they will likely be filtered out by spam engines....

Fax

 

Problem with that is, are all the victims willing to type that long password?
Although ppl tend to confirm all the stupidity there is...

 

People are taking things out of context so let me clarify.

I download password protected archives off of websites like Rapidshare and Megaupload. I will be given a password to unlock these archives and as these files are uploaded by total strangers, I need to know if they are free from malware. Now, Kaspersky is not the only piece of security software on my computer but it is always best to add an extra layer of protection.

As for the non-Kaspersky users, there is an option to scan these archives as long as you entered in a password before doing so. No cracking and whatnot that some of you keep on mentioning.

And, since no one has answered my only question, I will have to assume there isn't any anti-virus that scan password-protected archives.

 

We did answered you. Antiviruses do use certain methods to unpack password protected archives. I know that Kaspersky and BitDefender brute forced and/or read the password from email body to unpack such archives. That was back in era of Beagle and My Doom if you still remember those days. Trying to unpack ALL archives with such method is simply impossible. Firstly you don't always have password to be read (limited to certain emails only) and second, brute-forcing all archives is a time and processing power wasting thing.
Doing it on slow processors is impossible and will take ages even on most powerful quad core Core 2 Duo CPU. You can quickly brute force simple passwords (for example only numerical passwords up to lets say 10 characters long) but trying to brute force complex passwords that are alpha-numerical or full ASCII space can take awful long with just 6-8 characters, brute forcing full ASCII longer than 10 chars is just not economical for personal computer as it would take like 1-2 years to break it on a 2,5-3GHz x86 CPU which should be the most common today. And even then success rate isn't 100% if you placed certain restrictions to speed up that. So to make long story short, they're brute forcing it only on special ocasions and even that with a very good reason and special rules to speed up the process. Otherwise it's just not worth it.

 

That's the behaviour I've observed with some Zlobs samples at Virustotal, NOD32 reports them as "the file is probably password protected"

 

You simply can't be infected by just decompressing the file....
After you have your file(s) extracted then you can scan with whatever scanner...

Or I am missing something?

Fax

 

totally agree, never understood the need for this.

 

Ever heard of gateways, email servers, transitional data transfers (you get the data but you don't extract it, but pass directly to lets say your friend)? You need archive scanning for this.

 

Yes, but I didn't think the OP was talking from a gateway perspective here.

 

Transitional data transfers are quiet common in home users environment.

 

Kaspersky can't scan .rar archives that's protected with a password.
No AV can unless using brute which would take ages.

Old zip archives is another thing as they use the most crappy password protection known to man.

 

Heh, certainly not
I mean, the old ZIP encryption is certainly not very strong, but compared to ARJ, for example, it's bulletproof
And many authors implemented even much worse...