VU#976247: Antivirus and Endpo... Note

VU#976247: Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed zip archives

Malformed ZIP headers enable antivirus and EDR software to produce false negatives, as some extraction software can still decompress the archive. ZIP archives hold crucial metadata like compression method and version information, which antivirus engines use for preprocessing. Attackers can modify the compression method field, preventing proper decompression and analysis of the payload. After evading antivirus systems, the payload can be recovered by a custom loader that bypasses the declared method. This technique allows attackers to conceal malicious content while still being able to retrieve it programmatically. Standard extraction tools, however, often fail with errors when encountering these manipulated archives. This vulnerability is akin to previously identified CVEs. A remote attacker can craft a ZIP archive with tampered metadata to bypass inspection by antivirus or EDR software. While many products may flag the file as corrupted, execution of malicious code still requires user interaction to extract or process the archive. A custom loader that ignores the declared compression method can recover and execute the concealed content. Antivirus and EDR vendors should avoid relying solely on declared archive metadata for content handling. Scanners should implement more aggressive detection modes to validate compression method fields against actual content and flag inconsistencies. Users are advised to contact their antivirus or EDR providers for vulnerability assessment and mitigation guidance.