It is important to stress that the problem with infected password protected zip files is only manifest with gateway scanners. On client computers with up-to-date AV protection, the worm is detected once the user provides the password and decompresses/decrypts the zip file. This fact provides a graphic example why it is important to implement defense in-depth on all layers of your IT infrastructure. . . .
Although by now most vendors have implemented some kind of patch to combat the most recent variant of the Bagle worm, fact remains this malware managed to defeat a large number of vendors' gateway AV scanners. The culprit? A password protected zip file that carries the Bagle worm.

According to antivirus vendors, this particular strain (Bagle.J, or .H or .K, depending on vendor) appeared in the wild on March 2nd. Besides the password protected zip "feature", it is in no way special as it uses well known techniques to spread via SMTP. However, only hours after it's been found in the wild, customers at many large enterprise sites began to notice Bagle carrying zip files slipping through their gateway defenses. Of course, the AV vendors had probably a hard time explaining why this was happening to an increasingly nervous IT personnel.

To an antivirus scan engine password protection is in essence, encryption. The purpose of encrypting is to avoid prying eyes, including those of technology. And AV technology must have the key, that is password, to decompress the zip archive and scan it. No password, no scanning - simple as that.

The idea is so simple and straightforward that it's really surprising it hasn't been exploited more often up until now.

The link for this article located at net-security.org is no longer available.