mscz-files in Office365 detected as JAR-filetype

• Feb 11, 2020 - 14:03

Hello,
As a University of Arts in the Netherlands our docents and students often use musescore.
We use Office365 (Exchange Online) as our E-mail provider with default malware protection.
Unfortunately your mscz-files are detected as JAR-filetype and striped of mails.
I found something of a workaround in one of your fora, but is there a structural solution without weaken our security.


Comments

In reply to by Jojo-Schmitz

As you know, mscx cannot be set as default format, so that using it is indeed a workaround. It disturbs the flow of exchange. By the way, like Heiko I work at ArtEZ University of the arts. Students forget to convert; it puts them off using MuseScore. What we are wondering is why this is not a common problem. As you say, mscz is JAR-like. Yet we seem to be only the second case (?) of Office365 rejecting mscz.

In reply to by rvdhart

the .mscz format (as well as the .mxl format) is a ZIP archive, just like .jar.

We're using Office 355 at work too, yet I have no issues with .mscz attachments (neither with .jar as far as I can tell), but I do remember that once upon a time (some years ago) we had problems with compressed files having been flagged and even removed as being potentially dangerous, so you may need to talk to your E_Mail provider to relax the rules reg. dangerous attachments. There's nothing MuseScore could do to fix this.

In reply to by Jojo-Schmitz

We are using Office365 protection to handle spam and malware.
The list of filetypes for filetype-filters includes JAR as default.
To prevent us from malware we leave that setting.

As far as I know and tested not the name of the extention is checked, but if the signature is of this type.
So this filetype "mscz" is a configuration Microsoft states to be of a Jar-filetype classification.
I cannot make another exclusion if I want to keep the regular protection.

So or our customers (students and teacher of a main conservatory in the Netherlands) will use a workaround with frustrations or musescore is taking action.

In reply to by hlentfer

.mscz is a ZIP archive, same as .jar. You'd have the same issue with compressed MusicXML, .mxl, which too is a ZIP format. You might get your students to exchange .mscx files instead (plain text, XML like).

As long as you don't look into the content of those archives, there's no other way.

In reply to by rvdhart

It definitely seems a failure of the email provider. Sure, MSCZ is a ZIP-type file, but so is ZIP itself, and so are a whole bunch of other formats. Does the email program similarly disallow other ZIP archives? Actually, whether the answer is yes or no, it's a problem that needs to be reported to them so they can solve it. All ZIP files are not JAR archives, and certainly an MSCZ ile is not. So whatever is causing them to think it is, they need to get smarter about it.

In reply to by hlentfer

What change specifically do you think should be made? As far as I can tell, the file is a plain ordinary ZIP file;l only Office365 seems to make the error of interpreting it as a JAR file, presumably because it happens to contains a filename it knows JAR files also happen to contain. But this file isn't unique to JAR at all, it's actually a pretty standard part of other ZIP-based formats as well. As far as I can tell, that's a bug in Office365 - it is erroneously identifying all archives containing this filename as JAR files, rather than being smarter about the detection. The bug should be reported to Microsoft.

In reply to by hlentfer

Yes, apparently they do. And they apparently don't for everyone, as we're using Office 365 at work too, and do not have such issues (anymore, I do remember having had similar issues a while ago).

A ZIP archive is not malware, per se, it's content might, but even then a .jar file unlikely is.

"Don't judge a book by its cover" ;-)

The MuseScore developers simply cannot offer a solution here without breaking compatibility for another million users!

But one possible solution has been outlined above several times: use .mscx as the format to exchange scores.
But here's another: use a cloud service (like OneDrive, also Microsoft) and just send links to that.
Or use 'Save online' and use musescore.com for that. Now that the 5-scores limit has vanished, Pro accounts are not needed anymore (for that purpose)

In reply to by Jojo-Schmitz

Playing the devil's advocate, code itself is not necessarily malware, but trying to eliminate mailing of code is par for the course for such filters. "Don't judge a book by its cover" is a fair aphorism for discouraging prejudice against human beings, but files enjoy no such rights: overkill is the name of the game. Yes, it's pathetic, in the Machiavellian way in which it is consequent to a humanity that still begets cheats and villains.

In reply to by [DELETED] 1831606

Apparently prejudice is not just something humans do, but as seen here also software.
Yes, a .exe, or a .reg should certainly not pass though via email. Maybe a .jar neither. But a zip archive should, even it it contains a .exe, .jar or .reg file. It is up to the user to tell whether it is dangarous. Send to a real scanner, looking for fingerprints if malicous code.

We've been sending .exe files via email, renaming them to .eze and telling the recipient to rename them back ;-)
No scanner alarmed anyone...

In reply to by hlentfer

Yes, it would appear from what you are saying that Microsoft's filter is poorly designed, misidentifying files as JAR that are not. Bugs happen to everyone, Microsoft included, this would hardly be the first, or even the 1000th, probably not even the 1,000,000th. They are used to people reporting bugs agaisnt their software, and in fact, they do often even fix them once reported.

So, to be clear: we are offering a solution: the solution is to report the bug to Microsoft. Again, as far as anyone has been able to demonstrate, the ZIP file format is completely standard and should not in any way be problematic, without of without a manifest file. Every single program on earth seems to know this except, apparently, Office365, which is being far too conservative here, resulting in false positives that they should absolutely be able to address once the problem is reported to them.

In reply to by rvdhart

Lot of the discussion is about confusing MuseScore files with jar.
But... is it really so? Or was it just an hypothesis of the o365 admin?
Can we see some kind of log or messages that really show the confusion with jar to be able to identify the true reason why is it so?
And could you also manually write a basic XML file with notepad (a tiny one with just some XML tags), zip it, and send the result by email.
Do you have the same issue or not with that manually zipped XML or not?

In reply to by rvdhart

I've also just had an mscz file rejected by my university Office 365 account, which worried me.So you're not the only ones. I scanned the computer with MalwareBytes and the file with McAfee and no issue was found. I am not computer savvy enough unfortunately to know how to convert to an mscx file. Can anyone tell me how, please?

It is unclear to me that there really is a discernible difference between an MSCZ and JAR file whose contents are an MSCX, images, and so forth. Both have META-INFO folder with an XML manifest, etc. It seems clear to me that the mscz format was deliberately designed to exploit JAR structure as much as possible because of the desire to use extant standards and formats rather than inventing new ones, without prescience that one day "NO JAR FILES, DOGS, OR FIREWORKS ALLOWED" might come to pass. This may not be easy to fix on the Microsoft side.

Not all executables are malware, but all executables are banned from all email because some are.

In reply to by [DELETED] 1831606

That is, there are surely differences in the MANIFEST between a jar file containing java code and MuseScore's. However, Microsoft cannot know about each vendor who uses a JAR-like format. Careful test for the validity of a JAR file suspected of being malware is no way to write defense code. Remember the old Woody Allen movie where his character goes into a bank and passes the teller a threatening note ,,...the teller says, "it doesn't say GUN, it says GUB.", etc.?

In reply to by frfancha

That may be its origin, thank you, but it is often applied to situations where important differences are papered over by those not interested in discerning them, specifically is situations where a "negative judgment" or penalty is being applied. I don't want to bring up real-world examples, because they are all ipso facto politically sensitive. The factions and sub-sects and even major divisions of the hated group are rarely important to the hater.

In reply to by [DELETED] 1831606

As much as I like and use Microsoft Office, I have stayed away from Outlook and their other email program. Too locked down. Which is probably why business and schools like them so much. I doubt that they will change anything. The OP and group might consider almost any other email.

Although this post is now 2 years old, this problem persists and will likely become worse. The reason some O365 customers see this while other do not has to do with enabling the best practices for email protection. If the best practices aren't applied, these files will be delivered. If one's security team is applying the recommended settings that prevent executable and executable-like attachments from being delivered, these files will be rejected.

jar, as these are identified as are part of the M365 anti-malware "common attachment filter." This filter blocks 50+ common attachments that are known to be dangerous.

I will say this. Out off 22 million messages my domain sees yearly, this mscz make up the bulk of the detections as jar. I think it's on musescore to reach out to Microsoft and figure out why this continues to happen.

In reply to by Jojo-Schmitz

I'm going to agree to disagree. If Musescore uses the common format for jar files as the basis for their file format, it's on them to work with Microsoft to fix the detection. As I mentioned, the MS baseline now enables the "common file attachment filter", and with EDUs a big part of the M365 ecosystem where musescore is typically used, it's not good that the file format is being rejected as malicious.

In reply to by jeffreysessle

If a product is stupid enough to assume a ZIP format (like mscz) to be the same as a JAR format (just because it roo contains a META-INF directory), it is their problem, and their's alone (a JAR file would contain .class files, and only those can be considered dangerous, because they do contain executable code). And more importantly, only they can fix it, and only their customers have the commercial power to force them to fix it.

In reply to by jeffreysessle

If particular filter detects a simple ZIP file as a JAR file, then it's not actually using best practices at all. Best practice would be to be smarter about the detection to only look for actual JAR files - not just any old ZIP file containing a couple of similar things. Like, a JAR file would also have a MANIFEST file, it would also have files with the extension ".class", etc. None of these are present in MSCZ files. So it's not best practice at all to mess this up - these filters are just plain broken.

If the filter you are using is one provided by MIcrosoft themselves, then they should improve it. If it's a third party filter offered by a company claiming to offer "best practices", then they should fix it. But fixing it would have to happen on that side, because as noted above, it's not just MuseScore that uses ZIP files with this type of structure.

As far as I know, no Office user encountered this problem has yet contacted the providers of their filters to ask them to do fix their filters. So no surprise that nothing has changed in the last two years. Work on fixing the problem could potentially start any time after someone contacts the filter provider. Best time would have been two years ago; second best time is now :-)

In reply to by Marc Sabatella

As I said, out of 20 million plus messages scanned at my campus each year by MS, the musescore mscz file format is the only variation of a zip file format that is being detected this way. None of the other formats are blocked, so this appears to be unique to musescore.

I can't imagine a developer taking the stance that they aren't part of the solution here. I would imagine you'd want the product to be successful, and I'd bet money that this is happening far more than known. Would it not be in the best interest of the product to attack the fix from both directions? As a customer I can report it, but as a developer, you too have a path in which to contact MS and help get this fixed.

In reply to by jeffreysessle

MuseScore has no leads into Microsoft, no contract of any sort, so no contact either. Office 365 users, as Microsoft customers, do have that.

So just go and report it there, and point the Microsoft support folks here for more details.

MuseScore just cannot change the format of mscz files, and very certainly not just to please their broken anti malware filter.

In reply to by jeffreysessle

I should clarify that while I've worked on the internal code, I have no insight into the file format packing.

The reason I am saying this is not a MuseScore problem is that it is already apparent just by looking at the file internals what the problem is. The developers of filters are just as capable of looking at the contents of the ZIP files as we are, and indeed, they have far more expertise in this area than anyone on the MuseScore team. They don't need anyone from the MuseScore team to confirm that MSCZ files do not contain a MANIFEST.MF file, or any ".class" files, or really any of the specifics that truly identify JAR files. They can see this for themselves the moment they are alerted to the problem by one of their customers.

So, again, step one is for one in getting this particular filter developer to fix their filter is for one of their customers to contact them and request a fix. Have you tried doing this yet? I definitely recommend that as your next step, and include a sample MSCZ file to use as an example. Then maybe report back here after they respond.

If they reply that they are having trouble understanding the format, they are of course welcome to contact someone here. But I sincerely doubt they will have any trouble at all. I think once they are alerted to the problem and choose to work on it, the'll have it figured out within 15 minutes. They don't need our help to solve the problem; they need help from one of their customers to alert them that a problem exists.

BTW, when you say that only MSCZ files are being flagged, are you saying that you have tested MXL and the other non-MuseScore files that use similar formats and they don't get flagged? If so, that would be great info to also pass on the developer of the filter you are using.

In reply to by jeffreysessle

Our company is not 40000 (as in some other comment), but "only" 700 or so; using O365 for a few years (I dont know - would have to ask the IT department), with (sometimes very) aggressive filtering of executables of any sort. I have only sent some dozen MSCZ files over our email system - but never had a problem.

H.M.

In reply to by jeffreysessle

I work for a company with over 40,000 employees worldwide and they take a very stringent approach to security and spam. We are using O365 and have no issues with .mscz files as downloads or email attachments, so I don't think Musescore is responsible for this problem.

"I will say this. Out off 22 million messages my domain sees yearly, this mscz make up the bulk of the detections as jar"

Since mscz files are clearly not jar files then, if you want/need to reduce this mis-detection count, you need to fix your faulty detector.

Do you still have an unanswered question? Please log in first to post your question.