Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1

    Antivirus cant scan password protected rar

    This is old issue, so again I am here
    Its been more than month I am getting this virus in mail server, bcoz of virus problem my server ip had been blocked few times, and finally I found that virus in “PASSWORD PROTACTED ARCHIVE (RAR)”

    Most of my clients are getting this spam mail with password protected rar. And spammers are providing password for that archive file in mail. So that users can use that password to unzip that file, once users unzip that file virus can easily enter in the system.

    So here is the BIG question, how to stop some virus in password protected archive, I have getway firewall and Norton antivirus on my server but none of them are able to scan password protected archive file, I tried to scan in my local pc also, but result was same, I have used different site to scan that file. ( ie. http://virusscan.jotti.org/ ) but I guess none of scanner can scan password protected rar.

    Is there any antivirus can scan password protected rar file, what is the best hardware firewall for IDP, antivirus, antispam. i tried cyberoam firewall but it doesn’t work against brute force. Basically I want to stop some attacks against my web and mail, there are hundreds of tools available on net for dictionary attack. So if you guys can suggest me good hardware firewall which can support IDP, antispam, antivirus.

    i don’t do spamming but I guess this is the biggest weapons of spammer to use password protected rar file to bypass any of firewall or antivirus protection, I really need some help to solve this problem.
    one of the great day in my life when i found antionline.com

  2. #2
    Join Date
    Feb 2005
    i highly doubt any antivirus technology can access/scan a password protected compressed file... since u will need to have the password to decode the stuff in there before u can actually read the file to scan it... and since the AV doesnt have the password to open the files, the coding of the files are encrypted hence the AV sees that as a bunch of garbage so it will not flag the file and alert the user if there is a virus in there

  3. #3
    Member TheX1le's Avatar
    Join Date
    Sep 2006
    What if there was some sort of script to have the Anti Viri was to scan the message for the password and then plug it in to check. No idea how to impliment that with standard setups but would solve the issue. Just a half baked idea
    ...."Cant stop the signal Mel, Every thing goes some where and i go every where."...... "From here to the eyes and the ears of the verse, thats my motto or might be if i start having a motto" - Mr. Universe "Serenity"

  4. #4
    Join Date
    May 2006
    The first thing you should probably do is educate your users about not opening the files. THat would be the simplest thing you could do. But, for every time you tell them not to do it they will probably do it ten times. The next possible solution takes a bit of time but could be done. Place a box between your users and the server scan all incoming emails and have all emails that hold attachments that can't be opened trashed.

  5. #5
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Nobody is going to suffer if you just block all RAR files
    until somebody comes up with a fix.
    I came in to the world with nothing. I still have most of it.

  6. #6
    thanks for ur reply guys

    is there any way or any software available which can block password protected rar file. even if
    its not virus, i just want to block any rar file with password, i mean i want to allow normal rar file but not password protected. i have more than 300 sites running on my server and each site has more than 200 users so its hard to inform all thousands of users.
    one of the great day in my life when i found antionline.com

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Hello pbrprince ,

    I would mention that some anti-virus applications do not scan compressed files unless you make an election in their advanced set-up mode to do so.

    Others will look on them almost as text files, and only perform a scan prior to opening them.

    Please submit a copy of the file here:


    They will scan it with very recently updated versions of the major AVs and we can then find out what it is and how it works?

    I am sending you a private message with an e-mail address. Please send me a copy of the file so that I can have a look at it for you. Do not worry! I will use a machine that I have imaged and can instantly rebuild



  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    I have yet to encounter an anti-virus program that's able to scan password protected zips and/or rars. Think about it, the scanner doesn't know the password so it would have to brute-force it.. Some do detect the virusses though.. Even without unzipping/unrarring them.. Any decent on-access scanner would detect the virus as soon as it's unzipped/unrarred though...

    I haven't seen any spam that uses this technique.. Only virusses/worms.. Simplest solution would be to block any and all password protected archives.

    Clearswift's MIMESweeper is one of the best email content scanners I've seen. It isn't cheap though..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    SD has it. How often are you going to get a genuine email that contains a password protected compressed file?

    Next to never.

    Delete them all.

    Advise your users anyway for their own good, they could receive similar spam at home. If they think about security at home they (might) think about security at work.

  10. #10
    As I mansion in my last mail I have more than 3000 users on my mail server so its hard to educate all of them, because I have given administrator rights to all domain admin so that they can add as many email id they wants. So its hard to send a mail to all new users about this virus. And as you know guys when we say not to do something they always do it.

    I have sent a mail to all domains and most of users are saying that why don’t you block this rar file. Why you allow us to receive it, non IT people always argue abt this. They always want us to give them full proof protection. I am also thinking that its not permanent solution to educate users it can happen with new users.

    Nihil :- after scan I have deleted that virus file so currently I don’t have it. But for testing purpose you can make one rar file with virus and give password (xyz) and than try to scan it. I have tried that link also which you have given me. But it’s also not able to scan it. Two of them are showing that archive protected. I have got that same virus infected rar file in my yahoo account also it means that virus is reading everybody’s address book and sending mail to those all accounts.

    SD :- yes you are right I am also facing this problem first time, I haven’t seen any spam like this before but I guess this is the starting, as you know spammers always find new ways to send spam mails.

    Yahoo and hotmail scans archive for virus but none of them able to scan protected archive. So, in future spammer can target yahoo and hotmail also.

    I am ready to get any antivirus which can only block protected archive, I don’t want them to scan it and delete it but at lease I can protect my users. And just because of this I am facing RBL problem.

    Thanks you guys for your advice, I am sure there will be some way out of this
    one of the great day in my life when i found antionline.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts