Compressed files provide a number of special security concerns. In short, compressed files can be password-protected or encrypted, they can harbor so-called "zip-of-death" threats, and they can contain within them numerous layers of compression.
To balance security and performance, Trend Micro recommends that you read the following before choosing compressed file settings:
Block all compressed files: Choose this option to have [product] prevent the client from receiving compressed files. Users can notified via their FTP client or Web browser that IWSS blocked the requested file (Notifications > FTP | HTTP )
Block compressed files if...
Decompressed file count exceeds: Set the number of files within a compressed archive at which [product] should stop extracting. MORE>>
For example have [product] abandon the extraction after 1000 files.
Whenever the limit is reached, the original archive, as well as any decompressed files, is deleted. In addition to benefiting overall scan efficiency, setting an upper limit for decompression can prevent "zip of death" attacks designed to crash vulnerable virus scanning programs.
Size of a decompressed file exceeds: Set the maximum size that files being extracted from a compressed archive are allowed to reach. MORE>>
Once the limit is reached, the original archive, as well as any decompressed files, is deleted. As with "Number of files", setting an upper size limit for decompression can help prevent the "zip of death" attack.
Number of layers of compression exceeds: Set the maximum number of layers (compressed file within a compressed file) you want [product] to scan down through. The system maximum is 20. MORE>>
Scanning multiple layers of compression can slow down overall system performance, which is why the default for this parameter is 10. After detecting 10 layers of compression, [product] abandons the scan task and blocks the file.
Although [product] can detect viruses in even the 20th layer of compression, it will only clean an infected file if it is detected in the first compression layer.
Compression ratio of any file in the archive exceeds: x% : Recommended setting is 100 (no limit; disabled). MORE>>
[product] provides this feature as a guard against so called "zip of death" threats, where one or more files of a particular nature have been "super compressed." For example, a 500KB archive might expand to 1GB or more -- a compression ratio of 99.995%.
In a compressed archive comprised of multiple files, if the compression ratio of one or more files exceeds the percent specified here, [product] will block the compressed file.
The compression ratio is the percent by which a given file in the archive was deflated.
Compression types