Google tweaking Gmail malware scanner to unblock research routes

STOP! In the name of research

Google is apparently changing its practice of how it scans Gmail attachments following a security researcher's failed attempt at sharing information with another researcher.

Detail the issue in his blog, digital forensics expert Brian Baskin attempted to email malware binary samples to a colleague, apparently a common practice used to gauge opinion.

The standard practice for doing this type of exchange is to compress the malware sample within a ZIP file and give it a password of 'infected'. This stops an ordinary person from obtaining the file and accidentally running it, as automated antivirus systems cannot detect the malware and prevent it from being sent.

However, it seems that Google's scan has become more rigid and Baskin said that GMail registered a Virus Alert on the attachment.


Theoretically, only way Google's scan could realise that there was a virus contained in the zip file was by password cracking each ZIP file it received.

Baskin reckons that Google is now attempting to guess the password to ZIP files, using the password of 'infected'. If it succeeds, it extracts the contents and scans them for malware. Baskin tested his theory with the list of the 25 most common passwords, created a new email, and attached all of the files.

Only the ZIP file with a password of 'infected' was scanned, suggesting that Google likely is not using a sizable word list, but it is targeting the password of 'infected'. This was confirmed by the company in a reply to the blog post.

'Not malicious'

In his response, Alex Petit-Biano, a software engineer at Google wrote that the scanning was not intentional, and that issue was caused by a third-party AV engine used by GMail designed to automatically open ZIP files with a password of 'infected'.

He wrote: "To protect our users from downloading malicious files, we use a combination of third party antivirus software and internal virus scanning solutions to detect whether or not attachments or other downloadable files may be harmful.

"Your post alerted us to the fact that one of our third party software components was checking for encryption using 'infected.' as a password. As a result, it decrypted a limited set of zipped payloads in attempts to search for malware. We're currently working on disabling that feature and appreciate you bringing it to our attention."