Google tweaking Gmail malware scanner to unblock research routes

Security
STOP! In the name of research

Google is apparently changing its practice of how it scans Gmail attachments following a security researcher's failed attempt at sharing information with another researcher.

Detail the issue in his blog, digital forensics expert Brian Baskin attempted to email malware binary samples to a colleague, apparently a common practice used to gauge opinion.

The standard practice for doing this type of exchange is to compress the malware sample within a ZIP file and give it a password of 'infected'. This stops an ordinary person from obtaining the file and accidentally running it, as automated antivirus systems cannot detect the malware and prevent it from being sent.

However, it seems that Google's scan has become more rigid and Baskin said that GMail registered a Virus Alert on the attachment.

Guesswork

Theoretically, only way Google's scan could realise that there was a virus contained in the zip file was by password cracking each ZIP file it received.

Baskin reckons that Google is now attempting to guess the password to ZIP files, using the password of 'infected'. If it succeeds, it extracts the contents and scans them for malware. Baskin tested his theory with the list of the 25 most common passwords, created a new email, and attached all of the files.

Only the ZIP file with a password of 'infected' was scanned, suggesting that Google likely is not using a sizable word list, but it is targeting the password of 'infected'. This was confirmed by the company in a reply to the blog post.

'Not malicious'

In his response, Alex Petit-Biano, a software engineer at Google wrote that the scanning was not intentional, and that issue was caused by a third-party AV engine used by GMail designed to automatically open ZIP files with a password of 'infected'.

He wrote: "To protect our users from downloading malicious files, we use a combination of third party antivirus software and internal virus scanning solutions to detect whether or not attachments or other downloadable files may be harmful.

"Your post alerted us to the fact that one of our third party software components was checking for encryption using 'infected.' as a password. As a result, it decrypted a limited set of zipped payloads in attempts to search for malware. We're currently working on disabling that feature and appreciate you bringing it to our attention."

TOPICS
Latest in Security
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
Latest in News
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Nintendo Switch 2
The Nintendo Switch 2 pre-order date has seemingly been confirmed by Best Buy Canada – here's when you'll be able to order yours
Person printing
Microsoft’s latest Windows 11 update exorcises possessed printers that spewed out pages of random characters
Pro-Ject A1.2 in black, playing a vinyl record in a hi-fi listening room
Pro-Ject's new fully-automatic turntable could be the buy of Record Store Day 2025
Intergalactic: The Heretic Prophet
Intergalactic: The Heretic Prophet reportedly won't release until after 2026, as Neil Druckmann says that staff 'are playing it at the office' right now - but I don't think I can wait that long