“Zombie ZIP“ is a newly disclosed malware evasion technique where attackers manipulate ZIP archive headers to bypass antivirus and EDR scanning. Based on the test by the researcher, it works against most AV engines on VirusTotal.
I would like to know whether Elastic endpoint is immune to this?
Elastic Endpoint is EDR product, the malicious binary payload should be detected upon execution. This is similar to “scan files upon modification” option, where you can opt-out from it to improve performance but you still have guarantee that a malicious executable at rest won’t be allowed to execute.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.