Case Study: Managing Zip Files with Security Controls

System vulnerabilities can creep in through compressed files. But does completely blocking their use make for good security policy?

Should all e-mailed zip files be blocked at the corporate network gateway? Experts say more companies are blocking files compressed in the zip format from their e-mail servers. Security managers often worry zip files might contain known-bad executables or worms. In fact some worms—MiMail is just one recent example—zip their executable payload to evade antivirus scanners at the network-gateway or PC level.

Yet while blocking a file type beloved by attackers might seem prudent, zip files often fill a corporate need: they help reduce network load. Compression formats can dramatically reduce the size of PDF and Microsoft PowerPoint files, not to mention Microsoft Word documents and many kinds of images. In addition, many corporate IT departments impose a two or five Mbyte file-size limit for sent or received e-mail attachments. Prohibiting attachments would make e-mailing many kinds of attachments impractical.

In short, security managers might want to rethink what they’re blocking.

“Banning zip files because of the potential security threat they pose is like banning e-mail because it transmits spam and viruses,” notes Michael Osterman, president of Osterman Research. “What is needed is a way to maintain the use of zip files while ensuring that they do not contain harmful content, [do] come from trusted senders, and so forth.”

Enter zip management software. One user of such software is Michael Cushard, a systems engineer at Mobility Electronics, a mobile-device product manufacturer. “It’s hard to imagine that others can justify banning zip files. They have become a standard vessel for content distribution,” he says.

Mobility allows zip files, albeit with proper security controls. “With the appropriate antivirus regimen in place, end users can feel confident that their compressed content is free of infection and benign by the time it reaches their e-mail client.”

Mobility initially rolled out zip management software, Cushard says, “to impede the tremendous growth of our Exchange information stores. Compressing attachments seemed like the logical—and easiest—way to accomplish this goal.” After researching available products, Mobility selected MaX Compression Enterprise from C2C Systems, headquartered in Reading, Britain. Cushard says it was the only product he found that met his precise, Microsoft Exchange-related needs. MaX automatically compresses and decompresses e-mail attachments for Outlook, Outlook Web Access, Exchange Server, and SMTP Gateway.

Rollout went without incident, he says, and the first compression run started 30 minutes later. “Our first compression run netted us 30 Gbytes of storage space in our information stores. We continue to run it on a weekly basis and continue to receive three to four extra Gbytes of free space a week by doing so.”

To stay secure, Mobility runs antivirus and content filtering on the same server as the MaX software. Such an approach better secures all users and content—not just zip files—though it can require more upfront and ongoing efforts from security administrators. Still, there’s a payoff. “Mobility Electronics uses a three-tier antivirus process, and we have never had a virus get through our defenses that was embedded in a zip file,” Cushard explains. “In fact, in my two-year tenure, we have never had a virus or worm infection—period. That says a lot of our approach to keeping our software patched and our virus definitions up to date with the products we use to keep us protected.”

Mobility’s approach also ensures it’s not up to users to decide if code might be malicious before they open it. Speaking as a network administrator, Cushard says “it is best just to protect the end user as much as possible, as transparently as possible.”

Related Article

Zip It Shut: New Enterprise-Level Encryption Tools

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.