Back=right mouse click.
Compressed files provide a number of special security concerns. In short, compressed files can be password-protected or encrypted, may harbor so-called "zip-of-death" threats and may contain numerous layers of compression. See also, Compression types.
To balance security and performance, Trend Micro recommends that you read the following before choosing compressed file settings:
Action: Select an action you want IWSVA to take when it detects a compressed file violation.
Applies to: Specify compressed file conditions.
All compressed files: Choose this option to appy the selected action on compressed files that clients receive. Users can notified via their FTP client or Web browser that IWSVA blocked the requested file (Notifications > FTP | HTTP ) if Action is Block or Quarantine.
Compressed files if...
Decompressed file count exceeds: Set the number of files within a compressed archive at which IWSVA should stop extracting. MORE>>
For example have IWSVA abandon the extraction after 1000 files.
Whenever the limit is reached, IWSVA applies the selected action (block, pass, or quarantine) on the original archive, as well as any decompressed files. In addition to benefiting overall scan efficiency, setting an upper limit for decompression can prevent "zip of death" attacks designed to crash vulnerable virus scanning programs.
Size of a decompressed file exceeds: Set the maximum size that files being extracted from a compressed archive are allowed to reach. MORE>>
Once the limit is reached, IWSVA applies the selected action (block, pass, or quarantine) on the original archive, as well as any decompressed files. As with "Number of files", setting an upper size limit for decompression can help prevent the "zip of death" attack.
Number of layers of compression exceeds: Set the maximum number of layers (compressed file within a compressed file) you want IWSVA to scan down through. The system maximum is 20. MORE>>
Scanning multiple layers of compression can slow down overall system performance, which is why the default for this parameter is 10. After detecting 10 layers of compression, IWSVA abandons the scan task and applies the selected action (block, pass, or quarantine) on the files.
Although IWSVA can detect viruses even at the 20th layer of compression, it will only clean an infected file if it is detected in the first compression layer.
Compression ratio exceeds 99%. (Files with less than 99% compression ratio are automatically allowed by IWSVA.) MORE>>
IWSVA provides this feature as a guard against so called "zip of death" threats, where one or more files of a particular nature have been "super compressed." For example, a 500KB archive might expand to 1GB or more -- a compression ratio of 99.995%.
In a compressed archive comprised of multiple files, if the compression ratio of one or more files exceeds the percent specified here, IWSVA will apply the selected action (block, pass, or quarantine) on the compressed file.
The compression ratio is the percent by which a given file in the archive was deflated.
