No mime-type detection inside zipped files #724
Comments
philipianpearce
changed the title
|
E2g does support detection of banned mime-types and file extensions within a HTTP compressed transport such as zip. But not within zipped files. Virus scan plug-ins may support scanning of zip filles, but as far as any HTTP filter is concerned a zip file is just a file. .zip and .tz files often have huge payloads so running any extraction on these files would be impractical due to the delay involved. Also, files in a .zip file are not labeled with a mime type (the mime labeling is part of HTTP and mail protocols) so only file extensions would be available. File extensions are unreliable, and so, if you can control the web server end, blocking could still be avoided by using a different extension. So to protect users block zip etc files and only allow these from trusted sites that you know are ok. Or allow zip files only to users who are trained not to click on files within zip archives. I'm not aware of any network-based web filtering solution (os or commercial) that examines file types within zip files. If you know of one that does do this please let me know which one it is! Philip |
|
Hello Philip, thank you for your quick answer. A web filtering solution which detects mime-types within zip files is Trend Micro InterScan Web Security. I have been using this content screen for many years now. But this product is almost end of life. Not a web content screen but the open source mail filter amavis analyzes files within compressed containers. For this purpose it handles the files temporarily with the appropriate (un-)packer. In addition to the virus-scan the analysis includes checks for extensions and mime-types. The command line tool file is also capable of determining mime-types within compressed files. If multiple files are included, they are classified as application/octet stream. You are right, the extraction of zip files leads to delay but i think it's essential for a reliable analysis. The big payloads are a problem, of course. Maybe this can be controlled by parameters. Virus scanners have appropriate switches for handling huge zip files (e.g. limits for size or recursion level), too. I think the biggest risks are the small zip files, with or without password protection, because they are used to obfuscate malware payloads. Regards, |
|
Hello, is it planned? to implement the feature. Greetings |
Hello,
as far as i can see there is no detection for banned mime-types or file extensions within compressed files (as commercial products do). The filter can easily be bypassed by just adding the bad files to a zip file. This just works if .zip extensions or the corresponding mime-types will be allowed in the config, of course. But i don't think blocking compressed files globally would be a good solution.
Would it be possible to get a detection for mime-types inside compressed files?
Regards,
Josef
The text was updated successfully, but these errors were encountered: