Archive Files
Archive files are files that contain other files, such as .zip or .rar files.
If any individual file in an archive matches a file rule with a block action, the system blocks the entire archive, not just the individual file.
For details about options for archive file inspection, see Advanced and Archive File Inspection Options.
Archive Files That Can Be Inspected
-
File types
A complete list of inspectable archive file types appears in the management center web interface on the file rule configuration page. To view that page, see Creating File Rules.
Contained files that can be inspected appears in the same page.
-
File size
You can inspect archive files as large as the Maximum file size to store file policy advanced access control setting.
-
Nested archives
Archive files can contain other archive files, which can in turn contain archive files. The level at which a file is nested is its archive file depth. Note that the top-level archive file is not included in the depth count; depth begins at 1 with the first nested file.
The system can inspect up to three levels of nested files beneath the outermost archive file (level 0). You can configure your file policy to block archive files that exceed that depth (or a lower maximum depth that you specify).
If you choose not to block files that exceed the maximum archive file depth of 3, when archive files that contain some extractable contents and some contents nested at a depth of 3 or greater appear in monitored traffic, the system examines and reports data only for the files it was able to inspect.
All features applicable to uncompressed files (such as dynamic analysis and file storage) are available for nested files inside archive files.
-
Encrypted files
You can configure the system to block archives whose contents are encrypted or otherwise cannot be inspected.
-
Archives that are not inspected
If traffic that contains an archive file is on a Security Intelligence Block list or Do Not Block list, or if the top-level archive file’s SHA-256 value is on the custom detection list, the system does not inspect the contents of the archive file.
If a nested file is blocked, the entire archive is blocked; however, if a nested file is allowed, the archive is not automatically passed (depending on any other nested files and characteristics).
.Exe files inside some .rar archives cannot be detected, including possibly rar5.
Archive File Dispositions
Archive file dispositions are based on the dispositions assigned to the files inside the archive. All archives that contain identified malware files receive a disposition of Malware. Archives without identified malware files receive a disposition of Unknown if they contain any unknown files, and a disposition of Clean if they contain only clean files.
|
Archive File Disposition |
Number of Unknown Files |
Number of Clean Files |
Number of Malware Files |
|---|---|---|---|
|
|
1 or more |
Any |
0 |
|
|
0 |
1 or more |
0 |
|
|
Any |
Any |
1 or more |
Archive files, like other files, may have dispositions of Custom Detection or Unavailable if the conditions for those dispositions apply.
Viewing Archive Contents and Details
If your file policy is configured to inspect archive file contents, you can use the context menu in a table on pages under the Analysis > Files menu, and the network file trajectory viewer to view information about the files inside an archive when the archive file appears in a file event, malware event, or as a captured file.
All file contents of the archive are listed in table form, with a short summary of their relevant information: name, SHA-256 hash value, type, category, and archive depth. A network file trajectory icon appears by each file, which you can click to view further information about that specific file.