Compression and
archiving are among the most common methods of file storage, especially
for file transfers - such as email attachments, FTP, and HTTP. Before
any virus/malware detection can occur on a compressed file, however, you
must first decompress it. For other compression file types,
ScanMail performs scan
actions on the whole compressed file, rather than individual files within
the compressed file.
ScanMail currently
supports the following compression types:
-
Extraction: used when multiple files have been compressed
or archived into a single file: PKZIP, LHA, LZH, ARJ, MIME, MSCF,
TAR, GZIP, BZIP2, RAR, and ACE.
-
Expansion: used when only a single file has been compressed
or archived into a single file: PKLITE, PKLITE32, LZEXE, DIET, ASPACK,
UPX, MSCOMP, LZW, MACBIN, and Petite.
-
Decoding: used when a file has been converted from binary
to ASCII, a method that is widely employed by email systems: UUENCODE
and BINHEX.
 |
Note
When ScanMail does
not support the compression type, then it cannot detect viruses/malware
in compression layers beyond the first compression layer.
|
When
ScanMail encounters
a compressed file it does the following:
-
ScanMail extracts
the compressed files and scans them.
ScanMail begins by
extracting the first compression layer. After extracting the first
layer, ScanMail proceeds
to the second layer and so on until it has scanned all of the compression
layers that the user configured it to scan, up to a maximum of 20.
-
ScanMail performs
a user-configured action on infected files.
ScanMail performs the
same action against infected files detected in compressed formats
as for other infected files. For example, if you select Quarantine
entire message as the action for infected files, then ScanMail quarantines
entire messages in which it detects infected files.
ScanMail can clean
files from two types of compression routines: PKZIP and LHA. However, ScanMail can only clean
the first layer of files compressed using these compression routines.
