Compressed Files Parent topic

Compression and archiving are among the most common methods of file storage, especially for file transfers - such as email attachments, FTP, and HTTP. Before any virus/malware detection can occur on a compressed file, however, you must first decompress it. For other compression file types, IM Security performs scan actions on the whole compressed file, rather than individual files within the compressed file.
IM Security currently supports the following compression types:
  • Extraction: used when multiple files have been compressed or archived into a single file: PKZIP, LHA, LZH, ARJ, MIME, MSCF, TAR, GZIP, BZIP2, RAR, and ACE.
  • Expansion: used when only a single file has been compressed or archived into a single file: PKLITE, PKLITE32, LZEXE, DIET, ASPACK, UPX, MSCOMP, LZW, MACBIN, and Petite.
  • Decoding: used when a file has been converted from binary to ASCII, a method that is widely employed by email systems: UUENCODE and BINHEX.
When IM Security does not support the compression type, then it cannot detect viruses/malware in compression layers beyond the first compression layer.
When IM Security encounters a compressed file it does the following:
  1. IM Security extracts the compressed files and scans them.
    IM Security begins by extracting the first compression layer. After extracting the first layer, IM Security proceeds to the second layer and so on until it has scanned all of the compression layers that the user configured it to scan, up to a maximum of 20.
  2. IM Security performs a user-configured action on infected files.
    IM Security performs the same action against infected files detected in compressed formats as for other infected files. For example, if you select Quarantine as the action for infected files, then IM Security quarantines entire files in which it detects the threat.