Jump to content
  • Microsoft apparently now scanning password-protected ZIP files for malware and virus

    Karlston

    • 534 views
    • 3 minutes
     Share


    • 534 views
    • 3 minutes

    It looks like Microsoft SharePoint can now scan password-protected ZIP files according to Andrew Brandt L, a Principal Security Researcher at Sophos. Brandt discovered the new change recently when their malware-containing password-encrypted files were scanned by Microsoft 365 virus detection engine.

     

    On their Mastodon profile, Brandt wrote:

     

    Well, apparently #microsoft #Sharepoint now has the ability to scan inside of password-protected zip archives.

     

    How do I know? Because I have a lot of Zips (encrypted with a password) that contain malware, and my typical method of sharing those is to upload those passworded Zips into a Sharepoint directory.

     

    This morning, I discovered that a couple of password-protected Zips are flagged as "Malware detected" which limits what I can do with those files - they are basically dead space now.

     

    1684216743_ms_365_virus_engine_scanning_

     

    While Brandt acknowledges that this move is not at all a bad thing as it is targeted at threat actors who are looking to get away using this bypass, they appear to be a bit annoyed at the change as sharing malware samples with other threat researchers can be, at least, somewhat slightly hampered by this.

     

    While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples. The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.

     

    The official Microsoft documentation for Built-in virus protection in SharePoint Online explains:

     

    The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. All file types are not automatically scanned. Heuristics determine the files to scan.

     

    Meanwhile, Microsoft also has the option to enable Safe Attachments in SharePoint. The support article says:

     

    When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and identifies a file as malicious, the file is locked using direct integration with the file stores.

     

    Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can't open, copy, move, or share the file. But, they can delete the blocked file.

     

    However, neither of the articles seem to mention anything related to scanning encrypted or password-protected files. This means it could be something Microsoft quietly rolled out recently.

     

     

    Microsoft apparently now scanning password-protected ZIP files for malware and virus


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...