compressed_file_handling
Manual or Scheduled Scans | Security Risk Scan and Attachment Blocking links
Compressed files provide a number of special security concerns. Compressed files can be password-protected or encrypted, can harbor so-called "zip-of-death" security risks, and can contain numerous layers of compression.
To balance security and performance, Trend Micro recommends that you read the following before choosing compressed file settings:
Attachment Blocking
Block all compressed files: Choose this option to have ScanMail prevent the client from receiving compressed files. Users can be notified through their mail client that ScanMail blocked the attached file (Attachment Blocking | Notification)
Click Attachment Blocking | Target.
Click Specific attachments, then click Attachment types and expand the category.
Click Compressed files. If needed, expand the category and specify types.
Click Action and select an action. Click Notification and select a notification method
Security Risk Scan| Advanced Options | Scan Restriction Criteria
Compressed files scanning restrictions:
Click Decompressed file count exceeds: and type a number to configure a restriction for the number of decompressed files that ScanMail will scan. When the amount of decompressed files within the compressed file exceeds this number, then ScanMail only scans files up to the limit set by this option.
Click The size of decompressed files exceeds: and type a number that represents the size limit in MB. ScanMail only scans compressed files that are smaller or equal to this size after decompression.
Click The number of layers of compression exceed: and type a number from 1-20. ScanMail only scans compressed files that have less than or equal to the specified layers of compression. For example, if you set the limit to 5 layers of compression, then ScanMail will scan the first 5 layers of compressed files, but not scan files compressed to 6 or more layers.
Click Size of decompressed file is "x" times the size of compressed file: and type a number. ScanMail only scans compressed files when the ratio of the size of the decompressed file compared to the size of the compressed file is less than or equal to this number.
This function prevents ScanMail from scanning a compressed file that might cause a Denial-of-Service (DoS) attack. A Denial-of-Service (DoS) attack happens when a mail server’s resources are overwhelmed by unnecessary tasks. Preventing ScanMail from scanning files that decompress into very large files helps prevent this problem from happening.
See also