cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2355
Views
0
Helpful
3
Replies

Mail Policies - Anti-Virus: Howto detect encrypted Messages?

Pat_ironport
Level 1
Level 1

We found the settings for "Encrypted Messages:" and "Unscannable Messages:" in the Anti-Virus-Section of the incoming Mail Policies.

How can our C100 detect an encprypted message?
Or the other way: Why can our C100 NOT detect PGP/OpenGPG encrypted messages with or without attachment? (I sent a mail with/without attachment from my private account - OpenGPG encrypted - to my office account. There was no visible subject modification on this mail im my office-inbox.)

Is there some special setting that we have to configure?
We would like to see the Modified Message Subject as entered in the above sections, as soon as we receive a encrypted mail.

3 Replies 3

Found something in the documentation for you (Users Guide - Page 317):


Encrypted Message Handling

Messages are considered encrypted if the engine is unable to finish the scan due to an encrypted or protected field in the message. Messages that are marked encrypted may also be repaired.

Note the differences between the encryption detection message filter rule (refer to “Encryption Detection Rule” in Chapter 4, “Policy Enforcement” in the IronPort AsyncOS Advanced User Guide) and the virus scanning actions for “encrypted” messages. The encrypted message filter rule evaluates to “true” for any messages that are PGP or S/MIME encrypted.

The encrypted rule can only detect PGP and S/MIME encrypted data. It does not detect password protected ZIP files, or Microsoft Word and Excel documents that include encrypted content. The virus scanning engine considers any message or attachment that is password protected to be “encrypted.”

Note — If you upgrade from a 3.8 or earlier version of AsyncOS and you configured Sophos Anti-Virus scanning, you must configure the Encrypted Message Handling section after you upgrade.


In short: the AV scanner doesn't check for PGP or S/MIME encryption. A workaround for you might be to set up a message filter that does just that and modifies the subject according to your needs.

Something like (not tested!):

modify_subject_if_encrypted: if (encrypted) {strip-header("Subject"); insert-header("Subject", "[Message Encrypted] $SUBJECT"); }


Torsten

gato_ironport
Level 1
Level 1

We use a filter like this:

isEncrypted: if (encrypted) OR (((attachment-mimetype ==
"application/octet-stream") AND (attachment-filename == "asc")) OR
((attachment-mimetype == "multipart/encrypted") OR ((attachment-mimetype ==
"multipart/signed") OR ((attachment-mimetype ==
"application/x-pkcs7-signature") OR ((attachment-mimetype ==
"application/x-pkcs7-mime") OR ((attachment-mimetype == "application/pgp-keys")
OR ((body-contains("[-][-][-][-][-]BEGIN PGP", 1)) OR
((body-contains("[-][-][-][-][-]BEGIN\\=20PGP", 1)) OR
((body-contains("LS0tLS1CRUdJTiBQR1Ag", 1)) OR
((body-contains("LS0tQkVHSU4gUEdQI", 1)) OR
((body-contains("LS0tLUJFR0lOIFBHUC", 1)) OR (body-contains("\\* PGP",
1))))))))))))) {
insert-header("X-IronPort-Encrypted", "true");
}

Hi,

I am new with IronPort and need to configure icomming content filter to detect signed and encrypted (S/MIME and PGP) emails in order to re-rote them to the PGP Universal server.

Is it possible to implement above example on C160 (Version 7.0.1-010) via Web GUI or do I have to do it via CLI?

Thanks.