Starting in Engine Update 6.1 (released on 25 Sep 2016), support for password-protected archives was added to Threat Emulation blade.
Threat Emulation blade tries to decrypt the protected archive and unpack it based on a preconfigured dictionary of passwords.
- If successful, the Threat Emulation blade handles the archive as a normal archive and continue with the normal flow.
- If it fails to decrypt, the Threat Emulation blade treats the archive according to the configured policy (see the "Configuration" section below).
Support for this feature on Security Gateway is included starting from:
An encrypted archive, which Threat Emulation blade failed to decrypt, can be treated as a malicious file (fail-close policy), or a benign file (fail-open policy).
Configuration is performed through Threat Emulation Command Line Interface - the tecli command.
To enable the feature:
[Expert@HostName:0]# tecli advance archive enable_encrypted_archives 1
To treat the archive as a malicious file (fail-close policy), run this command in the Expert mode:
[Expert@HostName:0]# tecli advance error set archive_pass_protected error
To treat the archive as a benign file (fail-open policy), run this command in the Expert mode:
[Expert@HostName:0]# tecli advance error set archive_pass_protected fail_open
To see the current configuration, run this command in the Expert mode:
[Expert@HostName:0]# tecli advance archive show
User-Defined pass phrases and interesting words
You can configure unique passwords and interesting words to search for in the email body.
To add passphrases and interesting words to the pre-defined list of phrases, a dedicated file must be created.
Connect to the command line on the Security Gateway.
Log in to the Expert mode.
Create the $FWDIR/conf/additional_pass.conf file:
[Expert@HostName:0]# touch $FWDIR/conf/additional_pass.conf
Edit the file:
[Expert@HostName:0]# vi $FWDIR/conf/additional_pass.conf
Add the following template with your desired passwords (each enclosed in the double-quotes), separated by commas. Do not add spaces between the passwords.
"passwords" : ["MyPass1","MyPass2","MyPassN"],
"phrases" : ["password","Password","Pass","pass","codigo","key","pwd"]
Save the changes in the file and exit Vi editor.
- This feature is supported only English characters in the password file.
In case of a failure, a log in SmartView Tracker / SmartLog shows:
Failed to process the file
The feature can support up to 550 passwords without any problems.
Above 550 passwords is also possible, but under these restrictions:
You need to edit the Archive Tool configuration file to allow more passwords and to increase the timeout (the description is below) because trying passwords can increase the time it takes to emulate the file
The more passwords you try (above the 550), the more time it takes to handle the archive. This can cause a timeout in Threat Emulation.
We do not recommend using more than 550 static passwords.
If the archive came as an email attachment in MTA mode, the Security Gateway applies a more efficient password guessing mechanism (in addition to the static passwords file).