How does VirusTotal Handle Zipped Files?

[Carey Hoffman]

I'm unpacking a large installer and repackaging it into smaller bites then zipping them to get them < 34MB.  Does any one know if that's an appropriate method to send files to be scanned?  Can the virus scanning tools utilized by VT, scan the contents of a zipped file?

Not really fair to ask that question here since VT didn't write the scanners, I realize that.  But I am hoping that someone knows much more about HOW scanning occurs than I do :)

[Emiliano Martinez]

Hello Carey,

If the question is: will this approach enable VirusTotal to detect maliciousness? It actually depends. How are you unpacking the large installer, are you simply chopping the file into smaller pieces without paying any kind of attention to its structure and inner files? Or are you rather trully depackaging the installer, extracting the inner files that get dropped to a system when installed and repackaging those inner files into compressed bundles?

The antivirus solutions in VirusTotal rely heavily on signatures, as such, they might either have a signature that applies only to the full installer or to a file that might be found inside the installer. If they have a signature for the entire installer, the first approach might randomly cut the file at the middle of a signature match and so the antivirus detection will fail. Similarly, the second approach would not work at all as the installer no longer exists but rather its unpacked inner contents placed into a zip file.

If a file within the installer is malicious and you have used method 2 to submit to VirusTotal, then chances are it will indeed work. Most of the antivirus solutions in VirusTotal can dig into several layers of packing, including standard compression, eventually the corresponding signature for an embedded file should be triggered.

In any case, I would suggest you avoid any of those two methods, it would lead to VirusTotal having files in forms that no one will ever find in-the-wild and so it will be pretty useless for the community as a whole. What you should rather do is extract all files that the installer drops and scan every single individual file, that is the most effective for you and for the community. You should obviously implement some filters to avoid scanning potentially harmless files such as text files (EULAs, Readmes, Configs, etc.), images, etc.

Regards.

 

On Tue, Dec 3, 2013 at 6:47 PM, Carey Hoffman <car...@activestate.com> wrote:

I'm unpacking a large installer and repackaging it into smaller bites then zipping them to get them < 34MB.  Does any one know if that's an appropriate method to send files to be scanned?  Can the virus scanning tools utilized by VT, scan the contents of a zipped file?

Not really fair to ask that question here since VT didn't write the scanners, I realize that.  But I am hoping that someone knows much more about HOW scanning occurs than I do :)

--
--
Choose a file, check it with more than 40 antivirus, fast and easy: http://www.virustotal.com
 
---
You received this message because you are subscribed to the Google Groups "VirusTotal" group.
To unsubscribe from this group and stop receiving emails from it, send an email to virustotal+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Reda Chebli]

My modest input if that would help: 

A simple test I did few days ago (Im new at VT): I put 2 malwares into a zip folder. VT found the first one (by alphabetical order) and stopped. VT didn't mention the second file. So I wonder if scanning an archive would be helpful or not if it stops scanning as soon as a malware is found. Not sure though about that argument !

Is there any standardized list of "potentially harmless files such as text files (EULAs, Readmes, Configs, etc.), images, etc." that antiviruses in general use or VT to avoid scanning unnecessary files ?

Thank you

Reda

[Peter Meier]

You may noticed that vt is notan actualscan engine, it just uses different anti virus solutions to scan over the file.
So how your sample is detected does not depend on vt but on the scan engjne of the specific vendor.
Most engines only gives you one result because thats just best effort and saves sime time.
Also virustotal will only show you one result even if the scanner found multiple samples inside the zip.

Hth

--

[Reda Chebli]

Is there any standardized list of "potentially harmless files such as text files (EULAs, Readmes, Configs, etc.), images, etc." that antiviruses in general use or VT to avoid scanning unnecessary files ?

Thank you

Reda

[Peter Meier]

i think that really depends on the scanner itself. but i think most of the scanners will scan all files, no matter what filetype.

2013/12/4 Reda Chebli <shelly...@gmail.com>

[Emiliano Martinez]

Peter is correct, scanners will analyze any file type and most of them will have signatures for any file type provided they are malicious. That is why VT can scan APKs, DOCs, ELFs, Match-O... any file type. This said, the suggestion to avoid certain file types was just in order to prevent loading VT with useless scans.

For example, most images will be harmless, specially if they are found inside an installer. Of course, there might be the random image with some html injection, one that exploits a given software or perhaps an image is being used to disguise other malicious code portions within its body that then another piece of code will reassemble. Having said this, since these cases are the least, when doing the installer unpacking I would suggest avoiding their submissions.

[Carey Hoffman]

In my case, i'm installing the program, using Python to repack it into bite sized pieces (not an issue to remove useless files) then zipping and shipping.  I'm not worried about the installer it's self so I'm not worried about chopping it up.  I'm worried about the files/packages contained within.

@Reda Chebli good idea, that is what I was going to do today.  Just to bolster the sample pool, i'm still going to do that test.

Again, i'll make sure to purge *.txt, config, *blah* files that are useless to scan.

Thanks for the chat gang!  I'll try and remember to post back with my test results.

- Carey

[Firman Darmawan]

[Carey Hoffman]

Sorry for the delay (as if people were holding their breath).  Confirmed that every single scanner in VT detects an embedded virus in a zipped file.