Zotero stores temporary zip files that raise false positive deletions by Sophos

Hi there,

Since recently, any time Zotero stores temporary zip files in the tmp subfolder, Sophos detects them as Mal/DrodZp-A, i.e. an archive with malicious content. This is an annoying situation, because after I start Zotero, malware notifications occur rather frequently. I already posted a question in the Sophos forum, but I have been urged to provide a sample. I can't, because this situation emerges on my Windows 10 work laptop with no administrative rights and the temporary zips are deleted immediately after they appear. I hope that the Zotero developers can take a look at this situation. Many thanks in advance.
  • edited December 4, 2017
    I'm afraid there's nothing we can do about that — that's just Zotero syncing webpage snapshots. It's literally just the same as doing Save Page As… -> Web Page, Complete in your browser and then zipping all the files. It's true that ZIPs sent via email are often malicious, but it's just a standard file format, so if Sophos is triggering on those, you should talk to your IT department and ask them to whitelist the Zotero data directory.
  • Note that it is possible for websites you save from to (sometimes unknowingly) serve malicious JavaScript — e.g., Bitcoin miners — and Zotero would dutifully save those. So if it's happening only for specific files, you'd want to just delete those items in Zotero and empty the trash, but if it's happening for every ZIP file you'll just have to whitelist the directory.
  • Thank you for your suggestions. It is indeed happening for every zip. Sounds like I will have to live with it for now. Interestingly though, the functionality of Zotero remains unaffected by Sophos' deletions. That means that Zotero can extract the zips and populate the database without Sophos deleting that data, just the zips. I've been asked whether the Zotero application really was downloaded from Zotero.org. Could you provide checksum validation in the future? My problems could not be reproduced so far..
  • I'm not sure why you think Sophos is deleting them — Zotero simply downloads the ZIP files to that temporary directory, unzips them into 'storage', and and then deletes the ZIP. This is just normal Zotero sync operation. Again, I would recommend asking your IT department to whitelist that directory in Sophos if it can't deal with a ZIP file containing a webpage.
  • OK, thank you!
Sign In or Register to comment.