Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 12197 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scanning malware embedded in XML content

vpyyluom

Any way to accomplish this? As we know, containers like ZIP are easy peasy. Content will get scanned without issues (provided no encryption is used). But what about more complicated container files, such as and specifically XML? Does Sophos have any kind of a position on this issue?

:54719


This thread was automatically locked due to age.
  • 0

    Elsewhere, I spotted this:

    https://nakedsecurity.sophos.com/2012/06/22/encoding-malicious-pdfs-as-xdp-files-to-bypass-anti-virus-no-need-to-panic/

    But was this feature (scanning inside XDP files) ever implemented as suggested? Also, and if yes, is the same functionality available or being considered for generic XML files?

    :54725
  • 0

    Hi,

    Can you give a real world example where this would be helpful?

    Are you thinking of some form of encoded binary/script embedded inside an XML document?  In which case how might it be executed without it being extracted into the executable form first?  Anything in a container typically can't be executed before it's extracted. I wouldn't consider something like a self extracting archive file in this scenario. 

    I could encode a malicious binary in an XML document and send you the XML document.  OK, the XML document is harbouring a malicious file but I can't think of an XML parser that would attempt to extract and execute content just by opening it.  You would need to extract the content, potentially unencode it and then write it back out before executing at which point it's the original file that would be detected.

    I could understand the scenario where a website might store files in a table in a database, they may even wrap them in a XML document.  The web server could serve up the content of the XML as the download/script but ultimately as it's deliverd it's back in the "exposed" form again so it would be scanning as normal.

    Scanning inside containers really just prevents malicious files from lurking awaiting to be extracted and the contents executed.  So you might find something sooner to reduce the likelyhood of someone finding it and running it later or worse case someone finding it, extracing and running it without malware protection.  Is this the reason?

    Regards,

    Jak

    :54743
  • 0

    The use case at hand is a file transfer service that passes XML data between various parties. Sure it could be argued that there is no immediate risk of infection as long as malware remains embedded inside an XML, however that same argument could be made for email just the same. Yet we take it for granted nowadays that email is scanned for malware in email servers, as well. Defense in depth, and all of that. Having the XML content scanned before delivery to recipient would be an added value service that some might find trivial but that would provide definite value to the recipient no matter what.

    :54749