Compression and archiving are among
the most common methods of file storage, especially for file transfers - such as email
attachments, FTP, and HTTP. Before any virus/malware detection can occur on a compressed
file,
however, you must first decompress it. For other compression file types,
IM Security performs scan actions on the
whole compressed file, rather than individual files within the compressed file.
IM Security currently supports the following
compression types:
-
Extraction: used when multiple files have been compressed or
archived into a single file: PKZIP, LHA, LZH, ARJ, MIME, MSCF, TAR, GZIP, BZIP2, RAR,
and
ACE.
-
Expansion: used when only a single file has been compressed or
archived into a single file: PKLITE, PKLITE32, LZEXE, DIET, ASPACK, UPX, MSCOMP, LZW,
MACBIN,
and Petite.
-
Decoding: used when a file has been converted from binary to ASCII, a
method that is widely employed by email systems: UUENCODE and BINHEX.
 |
Note
When IM Security does not support the compression type, then it cannot detect
viruses/malware in compression layers beyond the first compression layer.
|
When
IM Security encounters a compressed file it does the following:
-
IM Security extracts the compressed files and scans them.
IM Security begins by extracting the first compression layer. After extracting
the first layer, IM Security proceeds
to the second layer and so on until it has scanned all of the compression layers that
the user
configured it to scan, up to a maximum of 20.
-
IM Security
performs a user-configured action on infected files.
IM Security performs the
same action against infected files detected in compressed formats
as for other infected files. For example, if you select Quarantine
entire message as the action for infected files, then IM Security quarantines
entire messages in which it detects infected files.
IM Security can clean
files from two types of compression routines: PKZIP and LHA. However, IM Security can only clean
the first layer of files compressed using these compression routines.
