cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3046
Views
10
Helpful
12
Replies

Password protected attachments in email - Bug CSCvv95061

Doug Maxfield
Level 1
Level 1

Good Afternoon,

We are running into issues with emails that contain password protected attachments and content protected attachments.  Is there a way to setup a filter that would quarantine the emails/attachments that actually have a password on them and bypass emails/attachments that have content protection on them.  My definition of content protection is an attachment when opened, the recipient is unable to change information in it.  Attaching a file that has content protection.  If opened in Adobe, select File > Properties > Security Tab, you will see the document content has been password protected.


I'm sure that I'm not the only one having this issue.  Just looking for ideas to see if it can be corrected before opening a TAC.

Thanks!!!

Doug

12 Replies 12

SriramV
Cisco Employee
Cisco Employee

Currently ESA doesn't have content protected attachments classification in Content Filter.

 

have you tried this ?

Security Services -> Scan Behavior -> Under Global Settings, click Edit Global Settings

Edit  "Actions for Unscannable Messages due to Extraction Failures" to  "quarantine"

SriramV,

Thanks for the response.  The content protected emails and password protected emails are both currently being quarantined.  This is my current setting, see attached

I only want to quarantine the actual password protected documents/emails, not the content protected emails.

Thanks!!

Doug

Hey Doug, 

Are these coming in with a password in the email? 

Ken

Morning Ken,

It's about 50/50.  My biggest issue is with the content protected emails/attachments.  If there was a way to get these "bypassed" from the password protection, that would be awesome.  I know with the current version or ver 14, there is a way to "read" the password for these emails, if included, and scan in a sandbox.  

I created a bug in the beta testing with ver 14, but I don't think it has gained much traction.

Thanks,

Doug

Morning!



Right... I'm just trying to understand how/why they're getting flagged...



Is the ESA reacting to text in the email saying "password is 'documentpassword'?

Or is the code that analyzes the file for password protection treating both content protection and actual encryption as the same?



Ken




Ken,

Sorry for the delay.  Took a few days off.

To answer your question, I believe it's the code that analyzes the file for password protection treating both content protection and actual encryption as the same.

 

Thanks!!

Doug

SriramV
Cisco Employee
Cisco Employee

if the ESA is 13.x, then there is no work around. 

updated note : the above statement is not correct

 

if ESA is 14.0 and Scanning of Password-protected Attachments is enabled, it should work as requested by you.

if the password is not available in email body and Probable Password list, then password protected attachment will be categorised as "extraction failure" and can apply Quarantine action under "Actions for Unscannable Messages due to Extraction Failures"

also content protected attachments will be scanned by ESA, so will automatically bypass above Quarantine action

SriramV,

Thanks for the info.  Since we are running Cloud ES and I know that ver 14 is being released, is there an ETA to get the Cloud ES updated to ver 14?

 

Doug

hi Doug,

For 14.0 upgrade in CES : Call TAC and request to be upgraded to 14.0.

 

i think your requirement can also be solved with simple content filter even in ESA 13.x 

Quarantine_PP_PDF: if (attachment-filetype == "pdf") AND (attachment-protected) { quarantine("Policy"); }

I am running running the latest code and i put the passwords into the global scan config. 

content_scanner log reports the protected attachment has been scanned sucessfully.

Later in the queue i have a content filter for "attachment-protected" and that quaranies the email though it was scanned sucessfully? Is this a bug or am i overlooking something? 

 

regards,

Michael

When the passwords are set in scan config, it will use it to scan the contents of the attachment after decryption. It will not remove/strip the password.

So a content filter condition with "attachment-protected" and quarantine action, the symptoms seen is expected since the attachments are still protected by a password.

is there any way to differentiate between "protected with unknown password" and "protected but were able to scan it" in a content filter? the current behaviour doesn't make much sense IMHO. (and the "extraction failed" option doesn't help me either because i cannot notify users when the message is quarantined - we are putting a copy of the message in Quarantine, then strip the protected attachments from the message and send it to the user - users can then ask for the orginal if it is legitimate.)  

if this is not currently supported, i would like for this feature to be added - without it the whole decryption thing is kind of useless.

thanks,

Michael

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: