Back=right
mouse click.
Compressed files provide a number of special security concerns. For example, compressed files can be password-protected or encrypted, so they can harbor so-called "zip-of-death" threats, that is, they can contain such threats as numerous layers of compression. See also, Compression types.
To balance security and performance, Trend Micro recommends that you read the following before choosing compressed file settings:
Action: Select an action you want IWSVA to take when it detects a compressed file violation.
Applies to: Specify compressed file conditions.
All compressed files: Choose this option to apply the selected action on compressed files that clients receive. Users can notified via their FTP client or Web browser that IWSVA blocked the requested file (Notifications > FTP | HTTP ) if Action is Block or Quarantine.
Compressed files if...
Decompressed file count exceeds: Set the number of files within a compressed archive at which IWSVA should stop extracting. For example, have IWSVA abandon the extraction after 1000 files. Whenever the limit is reached, IWSVA applies the selected action (block, pass, or quarantine) on the original archive, as well as any decompressed files. In addition to benefiting overall scan efficiency, setting an upper limit for decompression can prevent "zip of death" attacks designed to crash vulnerable virus scanning programs.
Size of a decompressed file exceeds: Set the maximum size that files being extracted from a compressed archive are allowed to reach. After the limit is reached, IWSVA applies the selected action (block, pass, or quarantine) on the original archive, as well as any decompressed files. As with "Number of files," setting an upper size limit for decompression can help prevent the "zip of death" attack. The maximum size can be set up to 2GB.
Number of layers of compression
exceeds: Set the maximum number of layers (compressed
file within a compressed file) you want IWSVA to scan down
through. The system maximum is 20. Scanning multiple layers
of compression can slow down overall system performance, which
is why the default for this parameter is 10. After detecting
10 layers of compression, IWSVA abandons the scan task and
applies the selected action (block, pass, or quarantine) on
the files.
Although IWSVA can detect viruses even at the 20th layer of
compression, it will only clean an infected file if it is
detected in the first compression layer.
This feature is disable when "0" is specified.
Compression ratio exceeds 99%.
(Files with less than 99% compression ratio are automatically
allowed by IWSVA.) IWSVA provides this feature as a
guard against so called "zip of death" threats,
where one or more files of a particular nature have been "super
compressed." For example, a 500KB archive might expand
to 1GB or more -- a compression ratio of 99.995%.
In a compressed archive comprised of multiple files, if the
compression ratio of one or more files exceeds the percent
specified here, IWSVA will apply the selected action (block,
pass, or quarantine) on the compressed file.
The compression ratio
is the percent by which a given file in the archive was deflated.