Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3001
Views
0
Helpful
1
Replies

RC4 versus AES encryption

JulietD03
Level 1
Level 1

‎07-24-2013 08:13 AM

Is there a difference between RC4 and AES encryption in terms of the Ironport being able to scan these for Virus ?

PDF's with RC4 are not being classed as encrypted and therefore not quarantined, however any with AES are unscannable and quarantined and we have to manually release these.

Is there a known difference ?

I know RC4 is not complex and is old, but just wondering if anyone knows the specifics of how the Ironport scans them.

Thanks,

Juliet.

Labels:
0 Helpful
1 Reply 1

Nasir Abbas
Cisco Employee
Cisco Employee

‎07-24-2013 09:22 AM

Hello Juliet,

-Sophos behaviour for AES-

The Engine  does not support decrypting AES encryption within PDFs, hence issues an  encrypted return code if StrongPDF is configured. A file can contain AES  encrypted objects with the default password, even if a user has not set  their own password to the file - which is likely to be what is  happening in this case.

To explain the differences with  128bit-RC4 encrypted pdfs, Sophos can generally decrypt and scan them  using the default key so no error is returned. So in summary, Sophos  engine is likely to return ENCRYPTED for AES encryption within PDFs even  when no password has been set.

It is correct that sophos cannot scan the object  encrypted using AES, though sophos can still add detection for a  malicious file, even if part of that file cannot be scanned for some  reason. The error is only for the only AES encrypted object, additional  parts of the file will be scanned though Sophos would not need to scan  the whole PDF file in order to detect the PDF as viral.

In  summery, Sophos will provide protection again any possible PDF threats.  May I suggest if you have any concern about protection against future  threats,  it is always best to have second layer of AntiVIrus scanning   which can run either on ESA appliances, mail server or end user client  machines.

Hope informatin above helps.

Thanks

Nasir

0 Helpful
Customers Also Viewed These Support Documents
Top