HTTP Based ZIP File Download Detection

info Nessus Network Monitor Plugin ID 1171

Synopsis

An HTTP transfer of a file compressed with the ZIP algorithm was just observed.

Description

An HTTP transfer of a file compressed with the ZIP algorithm was just observed. This file may contain malicious code, or content that may not be subjected to any content filtering in place. However, if the host attempting the download is a web server, email server or other server, this behavior may be indicative of a system compromise.

Solution

Block all HTTP requests with content type: application/zip, and ensure a content filtering system is in place that handles ZIP compressed files.

Plugin Details

Severity: Info

ID: 1171

Family: Web Clients

Published: 8/20/2004

Updated: 6/1/2015