How to Scan Zip Files for Malware Threats

Antivirus solutions and antivirus scanning is the status quo for preventing malware in files. Hackers realize this and have developed techniques for concealing viruses and other malware in complex compound files, such as zip files and archives. While zip files are not inherently dangerous, they have become a favorite format for cybercriminals running phishing campaigns, injecting ransomware, and deploying other malicious actions to unleash malware on unsuspecting individuals. This article discusses why zip files make excellent vectors for hiding malicious code, reviews how to scan a zip file for viruses and malware threats, why existing detection-based solutions are falling behind, and provides an overview of how content disarm and reconstruction prevents evasive malware in zip files.

Why hackers love zip files

Zip files have been “zipped” or compressed to reduce their size. Once you create a .zip file, you must “unzip” or extract the files within before accessing them.

These zipped, or archived files present a challenge for reliable threat detection. That’s because scanning a zip file might not show that infected or suspicious files exist within it because of the threats hidden within layers of the archive. Detecting viruses and other malware hidden in a zip file requires first unpacking the archived file. Antivirus solutions often don’t unzip files, and therefore malicious zip files pass by undetected.

Why isn’t antivirus software effective against zip files?

Antivirus software continuously checks a repository of known malware signatures to identify suspicious or malicious files to quarantine or destroy them before they can cause damage. 

Zip files are usually an enigma to AV

Some antivirus software can scan zip files, not all antivirus products are created equal: 

  • Some antivirus software can temporarily decompress the zip files and scan the contents. 
  • Most AV vendors can only scan the file contents once the files have been fully extracted – zipped files are essentially “unscannable” and unprotected by AV.

Only protecting against known signatures

In addition, even the antivirus softwares that are able to unzip a file can only protect against known threats. Security teams must regularly update software versions, and the software vendor must maintain a current library of malware signatures. It is almost impossible for antivirus software to keep up with the ever-changing risk surface that includes unknown threats and zero-day exploits that can weaponize zip files. Read here an example of how hackers hid malicious code in a password-protected and encrypted zip file that traditional malware scanners deemed “unscannable.” 

AI/ML = high volumes of false positives

Lastly, as antivirus software becomes more sophisticated and attempts to identify unknown and never-before-seen malware using AI or machine learning, it commonly returns a high volume of false positives, disrupting business productivity and wasting users’ time. 

Reduced business productivity

When organizations use a blocklist for zip files, it is disruptive to IT admins who regularly must go in and recover files that were expected but auto-blocked, adding additional overhead to their job. In addition, blocklisting creates disruptions for end users who are expecting files from third parties, like partners and customers and need to address them quickly, rather than waiting for it to be unblocked by IT. 

Scanning Zip Files Today

There are two approaches to dealing with hidden threats in zip files. One way requires making manual configuration changes to harden endpoints against these threats, while the other uses automated analysis and content disarm and reconstruction to eliminate threats. 

Legacy tips to scan zip files for viruses to protect yourself

One approach to managing hidden threats in zip files is to improve each endpoint to be more secure and scan files and emails automatically. The following are some steps you can take to help protect yourself from viruses and malware that may hide in zip files:

  1. Update WinZip – Ensure you are running the latest version of WinZip, as it includes critical security-related fixes and enhancements.
  2. Update your antivirus program – Having the latest definitions is crucial for keeping updated with the latest signatures. Researchers discover new malware daily, and the latest signatures will have the most current discoveries but may still miss Zero Day threats. 
  3. Configure your antivirus – Adjust the program to scan ALL files and emails, quarantining any suspected infected messages.
  4. Disable “hidden file name extensions” This stops Windows from concealing file name extensions such as .EXE, .DOC, and .ZIP or other file types it recognizes. For example, a malicious may appear as invoice.jpg, concealing that it is a zip file that could be harmful when opened. 
  5. Add a Password – Protecting zip files by applying a password makes them more challenging for cybercriminals to alter. In Windows, Right-click the zip file, select Send to, then Zip folder (compressed). Follow the prompts to save the folder.
  6. Establish Best Practices – Never open a zip file attached to an email from an unknown source, or download a zip file from untrusted websites. Of course, that might not be possible with your line of work, or may slow things down quite a bit! 

While this process is effective for protecting yourself against viruses, it is also a time-consuming and manual approach. It does not scale well to protect multiple users. Modern organizations require a more automated approach that is fast and efficient with the ability to scale for multiple users.

A Fast, Easy, and Modern Approach: Sanitizing Files With Content Disarm & Reconstruction Technology

Just because your organization currently lacks sufficient protection against all hidden threats in zip files does not mean you must remain unprotected. Votiro offers a way for organizations to try out content disarm and reconstruction technology (CDR) without any commitment to buy. Visit our Try Now page and upload your zipped file into the provided interface. Once a file is uploaded, the API sanitizes it using the exact same technology that could be in your instance of Votiro ZT Cloud. Within moments, the uploaded file is free of malicious content and safe to use.

In addition, Votiro takes care of pesky number 4 in the list above: Disable “hidden file name extensions”. The first step to sanitize files with Votiro is to TrueType the file. Hidden extensions and purposely obfuscated files will be analyzed and corrected to their actual extension. 

The full version of Votiro ZT Cloud is an API that integrates seamlessly with your existing environment. Rather than having users take steps they could forget when sanitizing a file, as files pass through organizational boundaries, they are sanitized and cleansed of malware automatically, ensuring that content is always safe to use, share, edit, download, and access. Request your 30-day free trial today.

How Votiro Combats the Threat to Zip Files

The only tried-and-true way to stop weaponized zip files from penetrating your network is by taking a zero-trust approach to files – including zip files. With Votiro, every file element passes through a file sanitization process. Files are deconstructed and rebuilt from only trusted parts known to be safe, eliminating any malicious content in the process. The new file is rebuilt with all of the safe functionality of the original but without hidden threats. 

The process is fast and doesn’t rely on keeping something completely up-to-date or depending solely on checking signature databases for known threats, removing the opportunity for zero-day attacks. Votiro’s Zero Trust approach ensures that zip files get automatically sanitized every time, allowing end-users to keep working without worrying about security. 

To learn more about implementing Votiro’s proprietary technology to secure your network against malicious zip files and other threats, please schedule a demo today.

*** This is a Security Bloggers Network syndicated blog from Votiro authored by Votiro. Read the original post at: