Scanning malware embedded in XML content

Hi,

Can you give a real world example where this would be helpful?

Are you thinking of some form of encoded binary/script embedded inside an XML document?  In which case how might it be executed without it being extracted into the executable form first?  Anything in a container typically can't be executed before it's extracted. I wouldn't consider something like a self extracting archive file in this scenario. 

I could encode a malicious binary in an XML document and send you the XML document.  OK, the XML document is harbouring a malicious file but I can't think of an XML parser that would attempt to extract and execute content just by opening it.  You would need to extract the content, potentially unencode it and then write it back out before executing at which point it's the original file that would be detected.

I could understand the scenario where a website might store files in a table in a database, they may even wrap them in a XML document.  The web server could serve up the content of the XML as the download/script but ultimately as it's deliverd it's back in the "exposed" form again so it would be scanning as normal.

Scanning inside containers really just prevents malicious files from lurking awaiting to be extracted and the contents executed.  So you might find something sooner to reduce the likelyhood of someone finding it and running it later or worse case someone finding it, extracing and running it without malware protection.  Is this the reason?

Regards,

Jak

Hi,

Can you give a real world example where this would be helpful?

Are you thinking of some form of encoded binary/script embedded inside an XML document?  In which case how might it be executed without it being extracted into the executable form first?  Anything in a container typically can't be executed before it's extracted. I wouldn't consider something like a self extracting archive file in this scenario. 

I could encode a malicious binary in an XML document and send you the XML document.  OK, the XML document is harbouring a malicious file but I can't think of an XML parser that would attempt to extract and execute content just by opening it.  You would need to extract the content, potentially unencode it and then write it back out before executing at which point it's the original file that would be detected.

I could understand the scenario where a website might store files in a table in a database, they may even wrap them in a XML document.  The web server could serve up the content of the XML as the download/script but ultimately as it's deliverd it's back in the "exposed" form again so it would be scanning as normal.

Scanning inside containers really just prevents malicious files from lurking awaiting to be extracted and the contents executed.  So you might find something sooner to reduce the likelyhood of someone finding it and running it later or worse case someone finding it, extracing and running it without malware protection.  Is this the reason?

Regards,

Jak