Create heuristic zone for decompression utilities

  • 10 September 2013
  • 1 reply

Userlevel 7
Is it possible to create a heuristic zone that includes only Outlook attachments, and the program that is used to open them? For example, if a user open a zip file with 7zip, I'd like the extracted file then included in the zone.
Or even better, create a zone that targets archive decompression utilities exclusively.
We deal with regulated information that sometimes has to be in encrypted format so it can't always be scanned/outright blocked at the border until we can implement a file transfer website. 
There are many ways to block such a file from running with other policies and methods, but I'd to focus on the AV suite in this discussion. Most businesses and consumers will not restrict sensitive file types on their machines that get through encrypted zip, nor will they block password-protected/exe-containing ZIP files at the border so this is more of a broader protection discussion than simply for my benefit.

1 reply

Userlevel 5
Hello Explanoit! After much discussion with our threat team and development, we feel this is an unnecessary feature due to the way our software handles new files that enter the environment. There’s little danger presented by any kind of malware at rest, (other than being left there to run when the AV is disabled. Not something we can control) and once anything is extracted it will be caught in the same way on attempted execution but possibly before this on a disc write or a scan in a more passive manner. We already have the ability to scan archives so the users can explicitly right click and scan it. If they want added confidence in feeling protected. Heuristics are really just a last resort formed from hard set rules used when other methods of protection have failed or are not available in our cloud based architecture. We shouldn’t really be relying on heuristics too much. If we are then we need to consider better methods of research. Thanks Explanoit for submitting the idea. -Shawn