locked
Troj/Dorf-AH virus & delete encrypted compressed files RRS feed

  • Question

  • In Antigen 9.0.1055 for Exchange (and older versions), there is a setting to delete encrypted compressed files. I expected that with the Troj/Dorf-AH virus outbreak on Saturday that I'd be protected with this setting since the payload is a password protected RAR file. The attachments sailed right in, however! Is this just going to stop password-protected zips, or are there other types of archives that this supports? I had suspected that it would support most popular formats.


     

    Monday, November 19, 2007 6:58 PM

All replies

  • Hi there,

     

    I just tested this on my lab machine and confirmed that password protected RAR files are indeed detected as encrypted compressed files and deleted. It could be that this is a new form of encryption that Antigen does not recognize. I would first suggest that you check your settings and make sure its not the "Delete Corrupted Compressed" files option that you have selected. If you do have the encrypted compressed option selected, and also confirm that Antigen is scanning properly in general, I would then suggest you contact Support and they will provide you with the steps to submit the sample for testing.

     

     

    ~Holly Kipp

    MSFT

    Wednesday, November 21, 2007 6:24 PM
  • Thanks, Holly.

     

    Since I posted this, I started working with PSS on this issue. I've confirmed that it gets right through my system. PSS is trying to duplicate this in the lab now. We tried WinRAR for testing and were able to duplicate the problem. The password-protected files are being mis-identified as CorruptedCompressed.

     

    I'm curious. Did you also use build 1055 for testing, or did you test SP1?

     

    Glenn

     

    Wednesday, November 21, 2007 9:26 PM