Comment by yorwba
5 months ago
If the decompressor is included in the compressed file and it's malicious, the file can hardly be called known good.
5 months ago
If the decompressor is included in the compressed file and it's malicious, the file can hardly be called known good.
But also I guess the logic of the decompressor could output different files in different occasions, for example, if it detects a victim, making it difficult to verify.
If it can "detect a victim", then the sandbox is faulty. The decompressor shouldn't see any system details. Only the input and output streams.