Upgrade StorageAutomatic snapshots vulnerability
A faculty member of ours reported this issue with Zotero with automatic snapshots. I'm wondering if someone could review and address this potential issue?
I am writing because recently, the antivirus program ITS provides — Sophos Endpoint — has been reporting the following warming each time I start up Zotero: Mal/DrodZp-A cleaned up. Since then I believe I have found both the source of the problem and a relatively easy workaround.
The source of the problem is the downloading of information from webpages, such as the bibliographic information for a journal article on the journal’s website. Specifically, Zotero’s default settings also have it automatically take a “snapshot” of the web page when creating bibliographic items from a journal webpage. The problem is that taking a snapshot of a web page (by downloading the code needed to recreate the webpage) also downloads any malware such as DropZp-A inserted into that webpage code. When you start up Zotero, it opens/creates? a folder called tmp with the snapshot web code (in a zip file) , triggering the Sophos alert.
To avoid this problem, the Zotero user needs to UNCHECK the “automatically take snapshots” box. It might also be helpful to UNCHECK the automatically attach PDFS and other files box but I am unsure about that and I haven’t done so myself.
To clean up an infected Zotero database — you’ll know it is infected when Sophos alerts you! --- it is necessary to drag each web snapshot to the Zotero trash AND then force the Zotero trash can to empty. If you don’t force the Zotero trash can to empty, you’ve just moved the malware from one folder within Zotero to another and haven’t really solved the problem
Once I trashed all my web snap shots (which are unnecessary, in my opinion) AND emptied the Zotero trash, the alerts stopped happening.
I am writing because recently, the antivirus program ITS provides — Sophos Endpoint — has been reporting the following warming each time I start up Zotero: Mal/DrodZp-A cleaned up. Since then I believe I have found both the source of the problem and a relatively easy workaround.
The source of the problem is the downloading of information from webpages, such as the bibliographic information for a journal article on the journal’s website. Specifically, Zotero’s default settings also have it automatically take a “snapshot” of the web page when creating bibliographic items from a journal webpage. The problem is that taking a snapshot of a web page (by downloading the code needed to recreate the webpage) also downloads any malware such as DropZp-A inserted into that webpage code. When you start up Zotero, it opens/creates? a folder called tmp with the snapshot web code (in a zip file) , triggering the Sophos alert.
To avoid this problem, the Zotero user needs to UNCHECK the “automatically take snapshots” box. It might also be helpful to UNCHECK the automatically attach PDFS and other files box but I am unsure about that and I haven’t done so myself.
To clean up an infected Zotero database — you’ll know it is infected when Sophos alerts you! --- it is necessary to drag each web snapshot to the Zotero trash AND then force the Zotero trash can to empty. If you don’t force the Zotero trash can to empty, you’ve just moved the malware from one folder within Zotero to another and haven’t really solved the problem
Once I trashed all my web snap shots (which are unnecessary, in my opinion) AND emptied the Zotero trash, the alerts stopped happening.
In many cases, these are false positives -- as I'm inclined to think is Mal/DrodZp-A (which is an email virus, so would be unlikely to download from a website).
Where they aren't false positives, downloading the webpage snapshot poses no additional security risk over visiting the webpage in the first place.
Snapshots are very much not unnecessary. The ensure that researchers are able to access web content at a later time, even where it changes or disappears online.