Unexpected ZIP Detection

Concatenating a ZIP file onto another file, such as a JPEG, is a well-known method for attempting to hide files from inspection. Users can zip up their sensitive files, then concatenate them on to the other file by using something like the Windows copy command-line tool. The result is a file that acts like a JPEG when opened by a user, or inspected by security tools, but can also be successfully unzipped, retrieving the original sensitive files. In this way, a user without any knowledge of file formats, and only access to commonly installed programs, can create files that escape both human and automatic inspection.

KeyView has an option to detect ZIP files that have been appended in this way, regardless of the initial mask file used. When you enable this option, the fpGetMainFileInfo() function returns a KVError_UnexpectedAppendedZip when KeyView detects an unexpected ZIP.

You can use one of the following methods to enable unexpected ZIP detection:

  • In the C API, call the function fpSetConfig() and set the flag KVFLT_UNEXPECTEDZIPDETECTION.

    (*fpSetConfig)(pKVFilter, KVFLT_UNEXPECTEDZIPDETECTION, TRUE, NULL);
  • In formats.ini, set the following parameter to TRUE.

    [Options]
    UnexpectedZipDetection=TRUE

NOTE: Setting the option through fpSetConfig() overrides any settings in formats.ini.