1. Field
Embodiments of the present invention generally relate to the field of computer virus or malware detection and prevention and systems and methods for detection of malicious or undesired computer files within an archive file. In particular, various embodiments relate to detecting malicious or undesired computer files within an archive that may be encrypted or password protected without breaking the encryption or examining the decrypted contents of the files.
2. Description of the Related Art
Several recent computer malware programs have been distributed inside encrypted archive files, as a means of evading detection by anti-virus programs or gateways. An archive generally refers to a computer file containing one or more files, each of which may be compressed or encrypted. Malware generally refers to malicious software, and is used here to include all undesired computer files.
Typically, the archive is distributed as an attachment to an email that contains the decryption password. The email is crafted to manipulate the reader into using the password to extract the malicious file and then open it.
When malware is distributed inside an encrypted archive, the problem of detection is made much more difficult. The detection methods currently in use have serious shortcomings. For example, one existing method detects the malware when it is extracted from the archive. This method is not useful on gateway products, only on client machines, and is unusable when scanning archive files on disk drives without opening them. Another existing method uses a password recovery algorithm to find the password, decrypt the archive and scan the files. This method is very slow. Another problem with both of these prior methods is that legitimate archives are opened and privileged information contained within them could be exposed.