Comment by j16sdiz
7 months ago
It have to be the way it is.
Scanning them are resources intensive. The choice are (1) skip scanning them; (2) treat them as malware; (3) scan them and be DoS'ed.
(deferring the decision to human iss effectively DoS'ing your IT support team)
Option #4, detect the zip bomb in its compressed form, and skip over that section of the file. Just like the malware ignores the zip bomb.
Just the fact that it contains a zip bomb makes it malware by itself.
It does not have to be the way it is. Security vendors could do a much better job testing and red teaming their products to avoid bypasses, and have more sensible defaults.