If it was password protected and victims were given the password to extract the files and infect themselves, antivirus programmers would also know the password (included in the place the zip was found), thus be able to extract the contents and conclude it was malware. If no password is given to potential victims, sure the antivirus companies can't know it contains malicious software; but it is effectively useless against potential victims because they can't open it, thus it poses no threat.Originally Posted by squidderuds
Say script kiddy A sends a password protected zip containing malware to many victims via email and includes the password in the email. Once the antivirus companies get the malicious email forwarded to them, they also get the password. See what I'm saying?