2.2. Archive management

2.2.1. Operation

The purpose of the analysis is to determine whether the archive contains malicious files.
The GBox extracts the archives submitted for analysis.
It works as follows:

  • Submission of an archive, amount of archived files less than 50MB

  • The user can provide the archive password via the graphical interface or the API. The password must be the same for all levels of the archive.

  • The GBox tries to extract the archive using the password:

    • With protection against zip-bombs

    • With protection against malicious archives

    • If the extracted archive is larger than 50MB, extraction is stopped. An error message is sent back indicating that the file is too large: nothing will be analysed

    • If the archive is too deep in relation to the depth configured in the GBox, the analysis focuses on the files corresponding to the configured depth (maximum of 3 levels: zip by zip)

    • If the password does not match, an error message is displayed

    • If the archive contains too many files compared with what has been configured in the GBox (10 files max), an error message is sent back: nothing is analysed

  • A "parent" analysis is created. It represents the archive file with its fingerprint and the analysis fingerprint. It points to the "child" analyses (parent report image below).

    • It has no analysis engine status, because nothing is analysed

    • It only has a global result

    • It does not display the contents of child errors

  • A "child" analysis is created for each child file found in the archive. It is linked to the parent analysis (child analysis report image below)

  • When all the "child" analyses are finished, the parent analysis is updated

    • Its score is equal a maximum of the "child" score

    • Its status is equal to the overall status of the "child".

    • If 1 or more "child" "in progress", then the parent analysis is "in progress".

    • If 1 or more "child" "in error", then "in error".

    • If all the "child" are "finished" with no errors, then "finished".

  • There is no PDF or report containing all the children. You need to look at each child analysis to obtain the report.

2.2.2. Supported formats

Type

Détails

7zfile
extension = [".7z", ".iso", ".udf", ".xz"]
magic = ["7-zip archive", "ISO 9660", "UDF filesystem data", "XZ compressed data"]

gzipfile
extension = [".gzip", ".gz"]
magic = ["gzip compressed data, was"]

lzhfile
extension = [".lzh", ".lha"]
magic = ["LHa ("]

tarfile
extension = [".tar"]
magic = ["POSIX tar archive"]

tarbz2file
extension = [".tar.bz2"]
magic = ["LHa ("]

zipfile
extension = [".zip"]
magic = ["Zip archive data"]

2.2.3. Archive password definition

The password for analysing an archive with a password is defined in `New analysis` screen of the Web UI.