Compression and archiving are among
the most common methods of file storage, especially for file transfers - such as email
attachments, FTP, and HTTP. Before any virus/malware detection can occur on a compressed
file,
however, you must first decompress it. For other compression file types,
ScanMail performs scan actions on the
whole compressed file, rather than individual files within the compressed file.
ScanMail currently supports the following
compression types:
-
Extraction: used when multiple files have been compressed or
archived into a single file: PKZIP, LHA, LZH, ARJ, MIME, MSCF, TAR, GZIP, BZIP2, RAR,
and
ACE.
-
Expansion: used when only a single file has been compressed or
archived into a single file: PKLITE, PKLITE32, LZEXE, DIET, ASPACK, UPX, MSCOMP, LZW,
MACBIN,
and Petite.
-
Decoding: used when a file has been converted from binary to ASCII, a
method that is widely employed by email systems: UUENCODE and BINHEX.
 |
Note
When ScanMail does not support the compression type, then it cannot detect
viruses/malware in compression layers beyond the first compression layer.
|
When
ScanMail encounters a compressed file it does the following:
-
ScanMail extracts the compressed files and scans them.
ScanMail begins by extracting the first compression layer. After extracting
the first layer, ScanMail proceeds
to the second layer and so on until it has scanned all of the compression layers that
the user
configured it to scan, up to a maximum of 20.
-
ScanMail
performs a user-configured action on infected files.
ScanMail performs the
same action against infected files detected in compressed formats
as for other infected files. For example, if you select Quarantine
entire message as the action for infected files, then ScanMail quarantines
entire messages in which it detects infected files.
ScanMail can clean
files from two types of compression routines: PKZIP and LHA. However, ScanMail can only clean
the first layer of files compressed using these compression routines.
