Microsoft's cloud services are scanning password protected ZIP archives
Microsoft cloud services, including OneDrive and SharePoint, have started to scan password protected ZIP archives that users upload or share using these services.
Internet users have a number of options when it comes to hosting files online or sharing them. Archive formats, such as ZIP or RAR, are popular options when it comes to the hosting or sharing of multiple files that belong together.
Cyber criminals have long used archive formats to distribute malware. Since most antivirus solutions scan unprotected archives for malware, they have started to password protect the archives instead. While that means getting potential victims to type the password to unlock the archive, it blocks many antivirus engines from checking the archive's contents.
Security researcher Andrew Brandt revealed on Monday that Microsoft started to scan password protected zip archives on SharePoint. He noticed that Microsoft started to flag some of his uploaded malware samples, contained in password protected zip archives, as malware.
Brandt used Sharepoint for the sharing of malware samples with colleagues. Fellow security researcher Kevin Beaumont replied, stating that Microsoft was using a list of known passwords to try and access password protected archives for scanning. The company also scans bodies of emails or the names of files to detect passwords, which its scanners may use to unlock the archives.
Microsoft scans password protected zip archives in all of its cloud services. In other words: users who share password protected ZIP archives with others will have these scanned if they a) use a common password or b) share the password in the filename or attached message.
Protecting files against scanning
Microsoft customers who do not want some of their files scanned by Microsoft may switch to different formats or better encryption. The open source program 7-Zip, for example, supports AES-256 encryption. Selecting an uncommon password for the archive and not sharing it in the filename protects its contents from being scanned by Microsoft.
Another option may be to use a different host for important files, but some may flag password protected files or block users from sending them in the first place.
Some, or even most, Microsoft customers may not object to the scanning of password protected archives that are shared with them for malware checking purposes. Most might not want their own files to be scanned, though.
The good old saying that files stored in the cloud should be considered accessible by others still holds, even though strong password protection may help protect files from being accessed for now.
Cyber criminals will likely adjust their strategies going forward as well.
Now You: do you use cloud services to store files?
Spying on our emails to steal our passwords, and then using them to open our password protected archives ? Isn’t that what even companies like Microsoft would consider malicious behavior, and a judge illegal behavior ? Seriously ? Lawsuit ffs ! Even trying common passwords to open and read our archives stored on their cloud can hardly be legal. Why isn’t that end-to-end encrypted to being with ? Those scum shouldn’t even be able to read our cleartext files ! You see what happens when you give them a finger, they take the whole arm. What was the original excuse to scan our sensitive private files, I forgot, maybe it’s child porn or copyrighted material ? Now they want to make sure we don’t hide viruses in our encrypted folders, what a good reason to crack them open. Assholes.
“Cyber criminals will likely adjust their strategies going forward as well.”
That’s what you worry about ? Isn’t Microsoft the main cybercriminal in that story ? Maybe I’m getting old ?
The kind of people who trust basic Zip encryption and short/simple passwords for cloud-stored files would probably benefit from having MS scan their files [mild sarcasm].
I suggest 7-Zip w/AES-256 enabled if you want to upload 7zip files, PicoCrypt if you want plain .zip.
And proper passwords, obviously.
I don’t compress anything. I don’t send anything to the cloud. I backup all my work to an external hard drive that is only attached to the computer long enough to accept the backup. Then I make another copy and send it to another hard drive. Done.
If you’re sending zips to the cloud, that’s on you.
The simple solution is carrier pigeons – they don’t travel at a high enough altitude to mesh with any clouds or cloud services, fly totally under the radar.
If this information suprises you, then you are gullible.
And no. I do not trust total stranges with even my digital possesions.
My way: creating a secure archive with Czip X. It creates a zip file and puts it in an encrypted container. It uses Blowfish, Twofish or AES as encryption algorithm. Give it a try at https://czip.it
My way: .rar compressed file splitted in two half equal files (or more if required).
This is the only way to send files to a Gmail account, possible the worst e-mail service ever. If you want to work in a serious way with attached files it’s required to have Yahoo. Mostly all my classmates have a Yahoo account just to to be able to send our homework to the teacher!
The way I do it:
Self-encrypt the file with AES
Rename the file NAME.exe to NAME.ex_
Send the file to wherever or whomever.
The way I do it:
1) Compress & encrypt with 7-zip (AES-256)
2) Put the result into simple ZIP archive. Yes. 7z in a ZIP.
This way you can upload _any_ file to any service, including GMail.
@Alex, according to your procedure, you don’t save the file as .7z but .zip instead. To create a .7z you need to select the .7z extension not the .zip one. Or perhaps it may be possible that I have not understand properly what you meant with your instructions.
2 stage process
1) folder to 7z
2) 7z to zip
@basingstoke, OK, thanks! :]
But who is still using .zip archives?
devs, program testers, p2p servers and many other downloable sources.
I dont use cloud for bigger and importand files, my personal archive does
the job, with many physical media storing, away from MS-googled services.