Zipped files and Jotti and Virus Total

[Gentleman]

I have some questions about submitting zipped files to sites like Jotti and Virus Total which scan files with multiple AV programs.

Is submitting the file in zipped format likely to distort the results of the scanners? Would a virus that is zipped before being uploaded be less likely to be detected as a virus by the scanners?

Thanks in advance.

[Pondus]

Don`t no the answer of you question but do you have som kiend of trouble uploading to virustotal?
have you tried the VirusTotal uploader?
http://www.virustotal.com/metodos.html

[Gentleman]

Thanks for your reply Pondus. I already uploaded a file but I had to zip it due to size restrictions on both Jotti and Virus Total.

Knowing whether or not the efficacy of the scans was somehow suppressed could help me better interpret the results of the scans of that file and other files in the future.

[sg09]

Believe it or not, sometimes ago i found a so called folder which is detected as sohanad worm when submitted itself & as win32.perite when zipped. But everyone in virustotal detected that malware in both cases.

[Pondus]

This is a guess, but since zip files are a very common file type and have been so for years i would think that every Antivirus are able to scan zip files without problems

[Gentleman]

sg09,

That is interesting. So in that case, the results were changed to an extent by zipping the file. But both the zipped and non-zipped versions were at least detected.

Pondus,

Your reasoning makes sense. I just want to be sure the results can still be fairly reliable if a file is zipped. BTW, do you happen to know how AVs scan zipped files? I'm curious if they just scan them in "zip form" or if they extract them temporarily into some type of sandbox. Maybe this varies depending on the AV used?

Thanks to both of you for your replies.

[Pondus]

quote from EICAR

Once downloaded run your AV scanner. It should detect at least the file "eicar.com". Good scanners will detect the 'virus' in the single zip ARCHIVEe and may be even in the double zip ARCHIVEe. Once detected the scanner might not allow you any access to the file(s) anymore. You might not even be allowed by the scanner to delete these files. This is caused by the scanner which puts the file into quarantaine. The test file will be treated just like any other real virus infected file. Read the user's manual of your AV scanner what to do or contact the vendor/manufacturer of your AV scanner.

http://www.eicar.org/anti_virus_test_file.htm

[Gentleman]

quote from EICAR

Once downloaded run your AV scanner. It should detect at least the file "eicar.com". Good scanners will detect the 'virus' in the single zip ARCHIVEe and may be even in the double zip ARCHIVEe. Once detected the scanner might not allow you any access to the file(s) anymore. You might not even be allowed by the scanner to delete these files. This is caused by the scanner which puts the file into quarantaine. The test file will be treated just like any other real virus infected file. Read the user's manual of your AV scanner what to do or contact the vendor/manufacturer of your AV scanner.

http://www.eicar.org/anti_virus_test_file.htm

Thanks for posting that Pondus. So it seems that decent scanners will detect malware even if it is zipped. Now I can better interpret the results that Jotti and VT gave me for the zipped file I submitted. And I now know that it's okay to zip a file before sending it to them if I need to in the future.