Malware In Archives
Classification
After reading comments that conflicted with my understanding, I tested how Bitdefender Antivirus Free Edition handles the detection of malware within unencrypted archives. For this test I made achives with different formats* each containing two (2) files:
- KILLCMOS.EXE (Bitdefender® identifies** it as Trojan.KillCMOS.C .)
- KILLCMOS.NFO (Safe. This is the companion information file in the distribution of KillCMOS.)
- Quarantined archives formats, which were quarantined as a whole:
- 7Z (.7z)
- Self-Extracting 7Z (.7z.exe)
- WIM (.wim)
- XZ (.tar.xz)
- Disinfected archives formats, which had KILLCMOS.EXE deleted from them:
- BZip2 (.tar.bz2)
- GZip (.tar.gz)
- TAR (.tar)
- Split TAR (.tar.001)
- ZIP (.zip)
- Undetected archives formats, which miss any detection:
- ARC (.arc)
- Self-Extracting ARC (.arc.exe)
- PAQ (.paq8o)
- PEA (.pea)
- QUAD/BALZ (.tar.balz)
Unexpected Behavior
I have to say that these detections only occurred when I scanned the folder containing the archives. Before scanning, I was able to open the archives without any warning or action from Bitdefender Antivirus Free Edition.
As a final note I must state that at some point of playing with the KILLCMOS.EXE file, it seemed it was not being detected properly anymore, as if some invisible exclusion rule was set by Bitdefender Antivirus Free Edition. So, files labeled malware are not toys... if you play with fire you might get burned.
______________
*I could not cover all archive formats, e.g, I made no RAR archive (.rar).
**This file is considered safe and a useful tool by some.
