Some security-conscious souls may have started blocking all .zip files at the gateway, given the wide variety of...
worms taking advantage of the file type in recent weeks. However, some experts say security managers shouldn't jump the gun.
Worms traveling as .zip files aren't new. Sobig-E did so last June -- just one of dozens unleashed in the last few years. The writers of the Bagle worms added an interesting twist by sending their creations as password-protected .zips with the password included in the message, prompting debate over how best to protect enterprises against this growing threat.
Some companies purposely strip out password protected .zip files because traditionally, antivirus scanners can't detect worms within them. That's changed, with a few of the major antivirus software vendors now scanning password-protected .zip files.
Few would argue against blocking or stripping executable files such as .exes, .scrs and .pifs. Doing a risk assessment for such files is a snap. The risks posed by such files, often used by worm writers, aren't offset by significantly pressing business reasons to permit them.
By contrast, many businesses have a legitimate reason for accepting .zip files. "It's time to begin considering blocking .zip because of the proliferation of .zip viruses," said Greg Francis, senior system administrator at Gonzaga University in Spokane, Wash. "We're not ready to do that yet, though, because it's such a useful file type."
Antivirus experts agree with Francis. While blocking .zip files may be useful for preventing worms, a business case can be made for letting them in. "People shouldn't get paranoid about .zip files. They are relatively safe," said Vincent Gullotto, vice president of McAfee AVERT.
When considering to strip or not to strip, companies need to balance the risks posed by .zip files with the potential productivity loss if they aren't allowed in. Bob Gullet, director of network technology at the College of American Pathologists, knows full well the challenges posed by stripping .zips. "We block any .zip file that is password protected," he said. "Some people aren't perfectly happy, but we do provide FTP server space for people who need to transfer files to business partners."
Gullotto said companies should revisit their decisions over what files to block. "As with everything in security, you can't set up something today and think will be safe in six months. Things change."