[marcusb]

Undoubtedly. If you go poking around most any security product (the product I was referring to was not in the EDR space,) you'll see these sorts of issues all over the place.

[j16sdiz]

It have to be the way it is.

Scanning them are resources intensive. The choice are (1) skip scanning them; (2) treat them as malware; (3) scan them and be DoS'ed.

(deferring the decision to human iss effectively DoS'ing your IT support team)

[avidiax]

Option #4, detect the zip bomb in its compressed form, and skip over that section of the file. Just like the malware ignores the zip bomb.

[im3w1l]

Just the fact that it contains a zip bomb makes it malware by itself.

[marcusb]

It does not have to be the way it is. Security vendors could do a much better job testing and red teaming their products to avoid bypasses, and have more sensible defaults.