Microsoft Is Scanning the Inside of Password-Protected Zip Files For Malware

An anonymous reader quotes a report from Ars Technica: Microsoft cloud services are scanning for malware by peeking inside users' zip files, even when they're protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.

While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password "infected." "While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples," Brandt wrote. "The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs."

Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of email or the name of the file itself. Another is by testing the file to see if it's protected with one of the passwords contained in a list. "If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find (and feed MS detection)," he wrote. "A Google representative said the company doesn't scan password-protected zip files, though Gmail does flag them when users receive such a file," notes Ars.

"One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can't be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files."

Quit complaining

[The-Ixian]

And choose a good password for your dumb zip file.... problem solved.

Re:Quit complaining

[jwhyche]

You shouldn't have to in this case. I think it's illegal break encryption or open encrypted files that are not meant for you. I'm not 100% sure in this case but some dvd decrypter software was taken off the market because of this.

Re:

[Osgeld]

its not even encryption its just a flag for the software, zip (and many other compressed files) are just containers, you want encryption you have to do it to the files

Re:Quit complaining

[AmiMoJo]

The Zip format does support encryption. There are two versions, with the old one being quite easy to crack, and the new one that uses AES and is basically as good as the password.

One massive flaw is that file names and other metadata are not encrypted. Only the content of files is encrypted.

If you want encryption then use 7Zip. It encrypts everything and is robust.

Re:Quit complaining

[Joce640k]

Didn't you read the summary?

Scammers have to send you the password in the email, that's what Microsoft is looking for.

It doesn't matter what encryption scheme you use if the password is in plain sight.

(and it MUST be in plain sight or your clever email won't work on the sort of idiots who'd unzip a random email and run the .exe file inside it)

Re:

[AmiMoJo]

Yes, that's why I'm saying. People are upset that their encrypted archives are being scanned, not because they care about privacy but because they were using the encryption to get around the security policies enforced for email.

It seems that Microsoft made the decision to stop fighting them and instead virus scan the archives, extracting the password from the email, or trying some common ones. Even if the restrictions are removed from Microsoft email servers, people using e.g. Gmail which blocks attachments

Re:

[Joce640k]

Yes, that's why I'm saying. People are upset that their encrypted archives are being scanned, not because they care about privacy but because they were using the encryption to get around the security policies enforced for email.

It seems that Microsoft made the decision to stop fighting them and instead virus scan the archives, extracting the password from the email, or trying some common ones. Even if the restrictions are removed from Microsoft email servers, people using e.g. Gmail which blocks attachments with .exe files will still be sending encrypted ZIP archives.

Yep, that's the story.

I'm pretty sure legitimate "security researchers" can find a way around it though, eg by sending the password separately or by playing word games in the email:

Password: Capital city of France plus the square root of 144.

.

Re:

[Joce640k]

Or maybe:

Password: "I'm trying to infect your computer with a virus!!!"

Password: "This zip file will take over your computer and steal all your money!!!"

Re:

[cellocgw]

Password: Capital city of France plus the square root of 144.

Sure, but which square root?
(yes, I'm aware that France has had dozens of capital cities over its history)

Re:

[bjwest]

Password: Capital city of France plus the square root of 144.

ChatGPT solves this quite easily:

The capital city of France is Paris. The square root of 144 is 12. Therefore, the answer to your question is Paris plus 12, which can be written as "Paris + 12" or "Paris + 144."

I doubt MS, who owns the code ChatGPT uses, will have much difficulty figuring out any password scheme included in the email with the file.

Re:

[pacinpm]

Password: Capital city of France plus the square root of 144.

ChatGPT solves this quite easily:

The capital city of France is Paris. The square root of 144 is 12. Therefore, the answer to your question is Paris plus 12, which can be written as "Paris + 12" or "Paris + 144."

I doubt MS, who owns the code ChatGPT uses, will have much difficulty figuring out any password scheme included in the email with the file.

I (as a human) would solve it as "Paris12" not "Paris + 12".

Re:

[Darinbob]

So if they guess the password it's legal, but if you decode DVD encryption using very well known and simple methods you can get sued due to the DMCA?

Re: Quit complaining

[crackerjack155]

First, this is not a DMCA violation.

Second, you gave them permission to do it, so even if it was something covered by the DMCA(which it's not), the owner has affirmed that the file is their own and they are giving Microsoft permission to do things like this

Re:

[EvilSS]

Only if you do it to get around DRM. And no, you can't try to internet-lawyer this into that. Don't try (you're totally going to try).

Re:

[DarkRookie2]

But password protecting a ZIP is DRM. The only people that allowed to open that ZIP file are the people I authorized the password to.
Everyone else would therefore be illegally bypassing encryption.

Re:

[EvilSS]

Not according to the DMCA it's not.

Re:

[Sloppy]

1201(a)(1)(3):

As used in this subsection-

(A) to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and

(B) a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with

Re: Quit complaining

[binarylarry]

...Aaand what does the agreement you sign with Microsoft look like?

Re:

[Sloppy]

Whose agreement? The user who uploaded it to Microsoft's cloud services, or the copyright owner who might not have any agreement at all?

I guess it would be pretty amazing if the uploading user unwittingly agreed to indemnify Microsoft for any liabilities they incur against third parties. Maybe Microsoft thought of that, so this just becomes a way to cause expensive damage to Microsoft customers, rather than to Microsoft themselves.

Re:

[DamnOregonian]

They did warn you not to try.

DMCA specifically allows for breaking encryption for the purpose of protecting targets from bad payloads.
Can't remember the specific subsection (but I'm sure you can google it)
Our lawyers went through that Act with a fine-toothed comb to figure out what we could and could not do at my organization (that deals with similar threats)

Re:

[sg_oneill]

Yes but I'm fairly sure the license involved here is microsofts, not yours. Unless you got microsoft to sign some other allternative contract agreement overriding whatever funky permissions you agreed to in the EULA?

Re:Quit complaining

[Joce640k]

But password protecting a ZIP is DRM. The only people that allowed to open that ZIP file are the people I authorized the password to.

Everyone else would therefore be illegally bypassing encryption.

If you're including the password in the email then it's not an encryption it's only an encoding.

Re:

[jwhyche]

No, it's not just to get around DRM. It is 100% illegal for me to decrypt bank to bank transactions. The same with satellite and encrypted radio communication. By law I can receive any radio signal from any source. What I can't do is decrypt that radio signal if its encrypted, for any reason.

There is no specification on the level of encryption ether. It's illegal to decrypt a simple XOR message if the message is not meant for you.

Re:

[EvilSS]

I guess is MS is intercepting these zips from radio signals, then yes. As for bank transactions, show me a law that says that, specifically, it's the decryption that is the crime.

Re:

[jwhyche]

https://csrc.nist.gov/publicat... [nist.gov] p. There you go. Start there and work your way out. An if you don't think it's illegal to decrypt any kind of financial information without permission, please go ahead and prove me wrong.

Re:

[EvilSS]

That's FIPS, a federal standard that is NOT required for financial institutions except for transactions with the Fed, and nothing in that states it's illegal to decrypt. And you want me to prove there isn't a law for something? Yea, I'll take that as you talking out of your ass. Interception would be illegal, but that would be the case even if it was in plain text.

Re:

[jwhyche]

I said, "get started." But by all means prove me wrong.

Re:

[EvilSS]

OK, here you go: https://uscode.house.gov/ [house.gov]

There, proof you are wrong.

Re:

[jwhyche]

if you say so.

Re:

[EvilSS]

Did you really just turn into the asshole that you said the OP was going to turn into?

No

Re:

[jwhyche]

Did you really just turn into the asshole that you said the OP was going to turn into?

No

Yes.

Re:

[awwshit]

Did you read the EULA before you put your encrypted zip in Microsoft's cloud? Maybe Microsoft has rights over its own environment and you give it access to keep you and themselves secure.

Re:

[Sloppy]

That'll work if the user who uploaded the DRMed Zip file, is the same as the user who owns the copyright. But if it's not, then the click-through EULA is going to need the user to unwittingly accept liability for whatever Microsoft does to third parties.

Of course, maybe the EULA really does that. So after Microsoft gets sued by the copyright owner, they add up whatever they paid (both to the DMCA "victim" and to their own defense lawyers) and sues the user for at least that much.

Re:Quit complaining

[Joce640k]

What it actually says is: "To the extent necessary to provide the Services to you and others, to protect you and the Services, and to improve Microsoft products and services, you grant to Microsoft a worldwide and royalty-free intellectual property license to use Your Content, for example, to make copies of, retain, transmit, reformat, display, and distribute via communication tools Your Content on the Services. If you publish Your Content in areas of the Service where it is available broadly online without restrictions, Your Content may appear in demonstrations or materials that promote the Service."

https://www.microsoft.com/en/s... [microsoft.com]

Re:

[Darinbob]

So... hand over your first born?

I suspect strongly that this portion is not strictly enforceable under the law. Except so far as Microsoft is a large company that provides a lot of jobs and therefore governments in America may be reluctant to prosecute. Maybe we again rely upon the EU to keep American companies honest. Remember, laws override license agreements and contracts.

Re:

[awwshit]

You are storing your data on Microsoft's computer. You lost control when you uploaded your file(s) to someone else's computer. Microsoft can do whatever it wants with its computers, whether your data is there or not.

Re:

[Darinbob]

Not true. There are laws protecting your data. It does not become Microsoft's data just because it's on their computer. Ie, HIPAA data; Microsoft cannot share any of that without permission, no matter what their license reads. Licenses and contracts do not override laws. Also DMCA prohibits attempts to decrypt data except with some exceptions.

Now even without the laws, if it became known that Microsoft regularly and often just read all data on their "cloud" and then decided to make use of it, they'd lo

Re:

[awwshit]

If you are using the services then you agreed to the EULA - read it. You signed away, via click-through, your rights.

Re:

[strikethree]

you grant to Microsoft a worldwide and royalty-free intellectual property license to use Your Content

It is interesting that the laws are so lax in this area that Microsoft can claim EVERYTHING and give nothing in return for the taking. All with a non-agreed upon end user license agreement which was created out of thin air. No legal basis.

Re:

[rsilvergun]

Honestly with how broadly and poorly those laws are written I'm pretty sure you broke 8 of them in your post. Maybe 9. They were written up by industry lobbyists in a hurry and passed without anyone reading them except a few of the anti-corporate house/senate members who were ignored.

Re:

[nightflameauto]

You shouldn't have to in this case. I think it's illegal break encryption or open encrypted files that are not meant for you. I'm not 100% sure in this case but some dvd decrypter software was taken off the market because of this.

That only applies if the file in question is copyrighted by a large enough company that they can shove a cadre of lawyers up your ass if you break the encryption. MPAA, RIA, etc. Commoners? Fuck off. All your data belongs to Mircosoft, Apple, Google, and anybody else that can get their greedy hands on it, and you need to know that nothing you do online is safe from the tech-giants' eyes. For your own good. Because they're benevolent and protective parents, looking after their poor little toddler users with

Re:

[tlhIngan]

I think it's illegal break encryption or open encrypted files that are not meant for you. I'm not 100% sure in this case but some dvd decrypter software was taken off the market because of this.

No, it's illegal to break encryption used as a content protection measure - the DMCA.

What Microsoft is doing here is scanning your message for potential passwords, as well as testing it against a list of possible passwords.

So using a secure password and not sending it in the same email is required to bypass the secur

Re:

[bjwest]

You shouldn't have to in this case. I think it's illegal break encryption or open encrypted files that are not meant for you. I'm not 100% sure in this case but some dvd decrypter software was taken off the market because of this.

That only applies to us lowly individuals and their corporate data, corporations can do whatever they want with our data, including reverse engineering it to steal our IP.

Re: Quit complaining

[reanjr]

I was thinking the same thing. It seems to be a DMCA violation at the very least, but then that just opens you up to copyright protection, which likely doesn't apply since you should have an expectation of your data being copied when sent over email. Would be interesting to see this litigated.

Re:

[gweihir]

Well, actually getting the fact out there that MS is trying to break passwords on encrypted zip is valuable. The complaint is just a ridiculous self-accusation of total incompetence though.

Re:

[Brain-Fu]

It is trivially easy to write a program that sends files over the Internet, using a direct peer-to-peer link.

If these malware researchers need to share data, they really don't have to look very far.

Re:

[jmccue]

Or better yet, encrypt using gpg(1) or even openssl(1). I would not rely on anything else if I need to password protect something.

Quit complaining, stop using MS products.

[stooo]

Quit complaining, stop using MS products.

The actual story is this

[gillbates]

The actual story is that Microsoft has opted to break the law - the DMCA in particular - rather than fix the flaws in its software which enable malware.

This is wrong on so many levels. You have to really screw up software to get to the point where management, when given a choice between fixing the code and doing something illegal, says, "I'll go for the possibility of fines and jail time..."

Re:

[DamnOregonian]

Incorrect. DMCA allows for this behavior.

The actual story is how dumbfucks on the internet think they're lawyers.

Oh, I feel so secure now!

[Anonymous Coward]

If they can do that then any adversary can bypass that same "protection" too. So the protection is about as safe as a "tsa-approved" luggage lock: The master keys have leaked, so their protection is nil. All it does is allow an adversary to peek in on your stuff without you noticing that the lock broke.

And again, their cloud is anything but private. I don't care what good reasons they think of this week, malware, child porn, politics, what-have-you, if they go sniff through my stuff then my stuff isn't private.

So, take note: The cloud is not private in any way or form and zip "protection" doesn't help against that lack. Worse, it no longer matters what any other cloud provider claims what they do or not. You don't always know who exactly is hosting your cloud storage these days, so you have to assume any and all cloud storage will be peeked in on. Your stuff will be rifled through for badness-of-the-week.

All Your Base Are Belong To Us

[zenlessyank]

Gotta check that intellectual property for threats!

Something about cloudy sheep or something.

Re:

[zenlessyank]

Just because you're not paranoid doesn't mean they aren't after you.

But I see you have a proper sheep's education so carry on.

Not Homomorphic?

[bill_mcgonigle]

Well, darn, I thought maybe the leveraged their homomorphic encryption science to make scanning generic. Next year?

I fully support them scanning in the trivial case of the password being included in the email text.

They also ought to note the mass proliferation of zip files with the same checksum and do trivial guessing.

Any malware zip will use a simple password.

Proper safeguards would miss spearfishing so leave non-trivial cases for opt-in.

Good!

[EvilSS]

Sucks for the tiny percent of the users who are malware researchers (maybe use something more 'sophisticated' like 7zip and its AES encryption option) but it is a common tactic in phishing campaigns to send the user a password-protected zip file with the malware payload in it. And yes, users are dumb so we need the malware protection tools to be smart for them.

Re:

[gweihir]

And you think this will do anything besides making the phishers use better passwords? Current zip encryption with good passwords cannot be broken.

Re:

[gweihir]

I should add that I do not know whether standard Zip tools can do current encryption (i.e. AES) as I always use 7zip, which can do AES. The original zip encryption algorithm is insecure and can be broken with reasonable effort.

Re:

[EvilSS]

And the user is just going to guess that good password?

Re:

[wildstoo]

Dunno how it is where you live, but here when you get a credit/debit card sent to you in the mail, the PIN number usually follows in a separate delivery.

Send the file and the password separately. There are plenty of OTP generator sites that let you send a URL that displays an OTP. Email the URL or Whatsapp it or whatever.

This is not a difficult problem to solve, and I'm glad MS are virus scanning password protected zip files. The amount of malware on their cloud must be staggering.

Re:

[thegarbz]

And you think this will do anything besides making the phishers use better passwords? Current zip encryption with good passwords cannot be broken.

The strength of the password here doesn't help. MS aren't dictionary attacking or brute forcing here. They are analysing conversation history. A phisher who doesn' transmit a method of opening a file is effectively stopped in their tracks. It doesn't matter if the password is "password" or "asiodf345(*^$*&^tsdf j2h!""'''"'!" if the password is sent to the user then it can be intercepted and used to analyse the file.

Or ... the password cannot be broken, and the user unable to infect themselves is safe as

Re:

[gweihir]

There are other ways to get a password to the user.

Re:

[Joce640k]

And you think this will do anything besides making the phishers use better passwords? Current zip encryption with good passwords cannot be broken.

Um, they're sending these email to the sort of idiots who'll open a zip file and execute the .exe file within.

Question: How difficult do you think they can make it for those people to find the password?

Re:

[gweihir]

Well, that remains to be seen. But I am sure the malware criminals will find a balance that works and the morons falling for that are already willing to jump at least through one obviously stupid hoop. Password in picture, description of password, sent them to a website where they they get the password, etc.

This really is the wrong approach. Fix email security instead and also MS Office security (often it is not an .exe but a compromised Office document). But apparently MS cannot do that because they have s

Re:

[bloodhawk]

Or simply use other services for storage and sharing rather than a saas offering where they are kinda obliged to sonthere best to bloxk that stuff. Even azure storage will do n the job as you can disable the malware scanning.

Re:

[EvilSS]

Yea, relying on OneDrive to archive your malware collection is just asking for trouble. I'd expect security researchers to be a little more savvy.

He calls this a "big" problem? WTF?

[gweihir]

Has this person never heard of secure passwords? How incompetent do you have to be as a "researcher" in the IT security space to not _immediately_ see that solution? Well, I guess he actually knows but decided that the press exposure was probably worth more than the admission of incompetence (which sadly only few people will notice) costs him.

Re:

[AmiMoJo]

People have been using bad passwords to share files via email and on SharePoint when the filetype is banned. If policy does not allow sending .exe files, stick it in an encrypted archive or change the extension, and send that.

As such anti-virus software needs to be smart enough to spot when that is happening, otherwise one day someone will get a ZIP archive with an email telling them the password, open it and get hit with ransomware.

Re:

[gweihir]

But really, will it help? Direct people to websites where they get a password that works for their malware sample only, sent the password in an other email, put the password into an image or describe the password. I am sure people stupid enough to do this with a simple, plain password in the email itself will also jump though one or several more hoops to get themselves infected.

Re:

[TwistedGreen]

I guess he'll have to resort to mailing DVDs of their malware samples back and forth.

Re:

[radarskiy]

"How incompetent do you have to be as a "researcher" in the IT security space to not _immediately_ see that solution?"

It's something that didn't actually need to be secure, just contained. As mentioned elsewhere, a zip file with a well known password is how you interchange malware samples with Microsoft Security Intelligence. Yes, Microsoft has now been victimized by Microsoft.

It's not that the solution isn't obvious, it's that the problem was manufactured.

Re:

[jythie]

Secure or insecure, microsoft is still analyzing messages in order to crack zip files they do not have permission to open. That is still a huge problem since it sets a precedent for electronic intrusion without consequences.

Re:

[gweihir]

Indeed. He apparently also stored malware samples on his local PC without having a backup. Not an indicator of skill or competence.

Lessons Learned

[Vandil X]

1. Once you upload something, it's no longer yours exclusively.

2. Use better passwords, especially on a file containing malware of all things. "This-is-a-sample-of-the-CIH-virus" is way more secure than "infected".

Re:

[thegarbz]

1. Once you upload something, it's no longer yours exclusively.

No one ever made a claim that it was, which is precisely why the files were password protected in the first place.

Re:

[SuiteSisterMary]

Actually, the lesson learned is to use encryption, not zip passwords.

Re:

[Nixoloco]

Actually, the lesson learned is to use encryption, not zip passwords.

The zip protocol he was using does use AES encryption for the contents of the files in the zip using a hash of the password as a key; however, Microsoft is attempting to decrypt them using the tokens identified in the email contents, file name, etc as well as a list of commonly used passwords. His simple password 'infected' was among those tokens, so the zip files were decrypted, unzipped, and scanned.. then deleted when the malware was identified.

Re:

[Nixoloco]

Actually, the lesson learned is to use encryption, not zip passwords.

The zip protocol he was using does use AES encryption for the contents of the files in the zip using a hash of the password as a key; however, Microsoft is attempting to decrypt them using the tokens identified in the email contents, file name, etc as well as a list of commonly used passwords. His simple password 'infected' was among those tokens, so the zip files were decrypted, unzipped, and scanned.. then deleted when the malware was identified.

OK, so I retract this, it's not clear the researcher was using a zip archiver that has this capability even though they are easily available or that Microsoft scanning technique can decrypt AES encrypted file, though if they did, the technique they are using could still allow them to scan the files.

Last week

[Rockoon]

Last week Windows 10 alerted me that it found malware in an old zip file I had in my download directory

The zip contained bitmaps and png files inside, specifically, a few sprite sheets. Also in the zip was a "readme.nfo" file under 1KB .. we've all seen those..

Microsoft flagged that nfo file inside that zip file, over a year after it was downloaded.

Re:

[thegarbz]

Microsoft flagged that nfo file inside that zip file, over a year after it was downloaded.

I see this as an absolute win, not the very likely false positive, but that they are using updated information for scanning data you may already have meaning that if something is missed the first time it may flag in the future.

I'd be concerned if that file were flagged at download now, but not while it's sitting in your download directory.

Re:

[RitchCraft]

An NFO file is supposed to be a plain text file. However, it could be an EXE in disguise, "readme.nfo.exe", or an EXE file with the extension renamed NFO. What would trouble me is if Windows started opening text files to search for phrases like "serial number" and determine that it contained a cracked serial number for accompanying software. Well hell, this is Nadella's Microsoft now so it would not surprise me in the least.

Cloud is someone-else's computer

[La Gris]

Microsoft do what they want when researchers are using Microsoft cloud service, as it is their computer.

If researchers don't want a 3rd-party picking inside their zip files, then host a NextCloud or similar service on own fully controlled host.

Re:

[thegarbz]

If researchers don't want a 3rd-party picking inside their zip files, then host a NextCloud or similar service on own fully controlled host.

Or ... just not use the most stupid and trivial password to zip a file. No need to go crazy man. Microsoft isn't some evil mastermind with back doors to the world encryption systems. The only reason this is news is because someone did the bare minimum, a minimum that was only ever effective against people who tried nothing.

How many times do we have to point out...

[Wolfrider]

Microsoft is SPYWARE. Stop using Sharepoint for this and go back to Usenet and private SFTP sites.

Since when is the a password protected zip file's

[demon driver]

On Windows, I use 7zip, and any password protected zip file I ever opened with 7zip opened without even asking for a password. Only when actually trying to unzip it (or something in it), it asked for a password.

Re:

[jetkust]

It asked for a password because the data is encrypted and password protected. It just didn't encrypt the filenames and folder structure in your case. But the content of the files were encrypted.

Re:

[RitchCraft]

This is normal behavior. Password protected ZIP files can still have their directory and file structure viewed. It's when you actually try to extract the files that the password comes into play.

So, let me get this straight.

[Virtucon]

You're complaining that MSFT blocked you from sending malware, in a compressed, password-protected zip file across their services?

Make it a Shibboleet opt-out

[williamyf]

This is actually great for 99% of users, both home users and organizations.
Probably your (very smart in their fields) accountants/finance, lawyers, MDs, Public Relations, Designers, Publicists, PR and marketing people, history, literature or art profesors (in universities) do not know (or care) about social Engineering attacks, and even an engineer on a bad day can fall prey too (do not ask me how I know)...

So, just make it Opt-Out, not to hard, not too easy, with a Shibboleet type process to make it happen

Why is this news?

[nospam007]

The practice of checking inside encrypted .zip files for malware has been around for several years.

Most antivirus software and other security solutions are designed to scan both compressed and uncompressed files for malware and other security threats. This includes .zip files that are encrypted or password-protected. The ability to scan inside encrypted .zip files is important because attackers often use such files to hide malicious payloads, such as malware, Trojans, or viruses.

As encryption techniques hav

send file from different channel than PW...

[williamyf]

and use a secure password and BOOM! Problem solved.

I tought security researchers knew better, but this proves they are human too.

Remember kids:

Send the password to decrypt a file in a different channel from the channel you used to send the file AND use good passwords.

Peace

use openssl

[OrangeTide]

in your zip file put a .bat that runs openssl.

openssl enc -d -aes-256-cbc -md md5 -pbkdf2 -a -in virus.aes

even if you pick some obvious password, it's unlikely the scanning software will figure out your custom solution any time soon. other researchers should be smart enough to figure out how to setup openssl tools on their machine. I chose options that will work on 1.x as well, incase someone is using a Raspberry Pi.

Data point

[ElizabethGreene]

A zip with the password 'infected' specifically is used on the Microsoft Security Intelligence [microsoft.com] site for submitting samples that would otherwise be blocked.

This is the site you go to if you want to submit malware for analysis, or if you have a false positive detection and need them to fix it.

So I did a thing...
First I confirmed that defender would detect the EICAR string in a text file. It does. Then I zipped it up four times with different encryption options.

Uploading a ZipCrypto .zip with password infected containing the EICAR test string to Virustotal and NOT providing the password for the zip.
https://www.virustotal.com/gui... [virustotal.com]
It was detected by Cyren and Fortinet.

Uploading a AES-256 .zip with password infected containing the EICAR test string to Virustotal and NOT providing the password for the zip.
https://www.virustotal.com/gui... [virustotal.com]
No detections.

Uploading a ZipCrypto .zip with password Soph0s named "ZipCrypto Password is Soph0s EICAR.zip" containing the EICAR test string to Virustotal and NOT providing the password for the zip.
https://www.virustotal.com/gui... [virustotal.com]
It was detected by Fortinet.

Uploading an AES-256 .zip with password Soph0s named "AES-256 Password is Soph0s EICAR.zip" containing the EICAR test string to Virustotal and NOT providing the password for the zip.
https://www.virustotal.com/gui... [virustotal.com]
No detections.

Scanning all four zips locally with defender yielded no detections, and I was able to upload and download all four from my personal onedrive (not my work account) without issue.

Re:

[ksw_92]

I believe that on-device Windows Defender has a few "strengths", depending on your licensing. Also, personal OneDrive accounts don't get the same level of protection from cloud-based Defender that higher-level subscriptions, like M365 E5, get.

Just something to take into consideration when testing...

Why are computer experts so stupid with computers?

[st0rmshad0w]

When did people, especially people like security researchers, just absolutely forget that things like SFTP even exist? Why in the hell would you want to stick something like that up in the cloud in Sharepoint or whatever where it is effectively out of your hands for someone else to retrieve? If you want to give a file to someone securely and reliably set up your own SFTP server or use theirs, then you won't have any gripes about this nonsense.

Re:

[Tony Isaac]

That's nice for people who are tech-savvy enough to set up an SFTP server. For the rest of the world, not really an option.

Re:

[Tony Isaac]

The article doesn't indicate that the passwords for these zip files are in plain text. (I know, this is slashdot, who reads the articles???) These zip files are stored on cloud drives like OneDrive and SharePoint. Microsoft has found ways to unzip and scan these zip files _without_ access to the actual password.

Um ... what?

[pz]

I'd expect a security professional to have already developed a good means to make zip files not look like zip files because they are so often blocked by corporate mail systems. You know, like by encrypting the entire zip file with a home-brew 20-bit RSA and changing the suffix to something like ".enc", making the zip file indistinguishable from line noise.

So it takes a little extra time to encrypt and decrypt. Big deal.

The Real Issue is Pervasive Monitoring

[NotInKansas]

Having a sufficiently secure symmetric encryption password is fairly easy.

The real problem is communicating that password in a pervasively monitored environment. Using MS facilities to send sensitive information in an unprotected format provides the capability for it to be siphoned and cross correlated by MS for MS use. The interesting story here is that MS is performing this correlation.

Google says they don't do this, but the point is they are capable of doing the same thing.

People get complacent in their use of the convenient tools to hand.

There are a couple key items to remember:

All the free or big email providers scan your email.

Email is not encrypted on the servers.

The important mechanism is protecting key delivery, that's what's being compromised. There are already a number of ways to do this:

Out of band key communication. Call or text or other and tell your contact the good password.

Public Key Encryption is a more technical solution. The decryption key is never transmitted so there's nothing to intercept.

Use 7zip

[peterww]

The encryption in 7zip is strong, just use that and move on with life.

Good lord. You're working with malware.

[Petersko]

Sharepoint? Really? Surely people working at that particular task have the wherewithal to do better than that.