Unexpected ZIP Detection

Concatenating a ZIP file onto another file, such as a JPEG, is a well-known method for attempting to hide files from inspection. Users can zip up their sensitive files, then concatenate them on to the other file by using something like the Windows copy command-line tool. The result is a file that acts like a JPEG when opened by a user, or inspected by security tools, but can also be successfully unzipped, retrieving the original sensitive files. In this way, a user without any knowledge of file formats, and only access to commonly installed programs, can create files that escape both human and automatic inspection.

KeyView has an option to detect ZIP files that have been appended in this way, regardless of the initial mask file used. When you enable this option, the fpGetMainFileInfo() function returns a KVError_UnexpectedAppendedZip when KeyView detects an unexpected ZIP.

You can use one of the following methods to enable unexpected ZIP detection:

NOTE: Setting the option through fpFilterConfig() overrides any settings in formats.ini.