Comment by marcusb

7 months ago

Zip bombs are fun. I discovered a vulnerability in a security product once where it wouldn’t properly scan a file for malware if the file was or contained a zip archive greater than a certain size.

The practical effect of this was you could place a zip bomb in an office xml document and this product would pass the ooxml file through even if it contained easily identifiable malware.

8 comments

marcusb

secfirstmd 7 months ago

Eh I got news for ya.

The file size problem is still an issue for many big name EDRs.

marcusb 7 months ago
Undoubtedly. If you go poking around most any security product (the product I was referring to was not in the EDR space,) you'll see these sorts of issues all over the place.
- j16sdiz 7 months ago
  
  It have to be the way it is.
  Scanning them are resources intensive. The choice are (1) skip scanning them; (2) treat them as malware; (3) scan them and be DoS'ed.
  (deferring the decision to human iss effectively DoS'ing your IT support team)
  
  3 replies →
LordGrignard 7 months ago
is that endpoint detection and response?
- marcusb 7 months ago
  
  Yes