RC4 versus AES encryption

JulietD03 · ‎07-24-2013

Is there a difference between RC4 and AES encryption in terms of the Ironport being able to scan these for Virus ?

PDF's with RC4 are not being classed as encrypted and therefore not quarantined, however any with AES are unscannable and quarantined and we have to manually release these.

Is there a known difference ?

I know RC4 is not complex and is old, but just wondering if anyone knows the specifics of how the Ironport scans them.

Thanks,

Juliet.

Nasir Abbas · ‎07-24-2013

Hello Juliet,

-Sophos behaviour for AES-

The Engine does not support decrypting AES encryption within PDFs, hence issues an encrypted return code if StrongPDF is configured. A file can contain AES encrypted objects with the default password, even if a user has not set their own password to the file - which is likely to be what is happening in this case.

To explain the differences with 128bit-RC4 encrypted pdfs, Sophos can generally decrypt and scan them using the default key so no error is returned. So in summary, Sophos engine is likely to return ENCRYPTED for AES encryption within PDFs even when no password has been set.

It is correct that sophos cannot scan the object encrypted using AES, though sophos can still add detection for a malicious file, even if part of that file cannot be scanned for some reason. The error is only for the only AES encrypted object, additional parts of the file will be scanned though Sophos would not need to scan the whole PDF file in order to detect the PDF as viral.

In summery, Sophos will provide protection again any possible PDF threats. May I suggest if you have any concern about protection against future threats, it is always best to have second layer of AntiVIrus scanning which can run either on ESA appliances, mail server or end user client machines.

Hope informatin above helps.

Thanks

Nasir