Threat Emulation blade support for password-protected archives

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk112821
Technical Level
Product	Threat Emulation
Version	R77.30 (EOL), R80.10, R80.20, R80.30, R80.40, R81, R81.10
OS	Gaia
Platform / Model	All
Date Created	20-Aug-2016
Last Modified	19-Aug-2021

Solution

Introduction

Starting in Engine Update 6.1 (released on 25 Sep 2016), support for password-protected archives was added to Threat Emulation blade.
Threat Emulation blade tries to decrypt the protected archive and unpack it based on a preconfigured dictionary of passwords.

If successful, the Threat Emulation blade handles the archive as a normal archive and continue with the normal flow.
If it fails to decrypt, the Threat Emulation blade treats the archive according to the configured policy (see the "Configuration" section below).

Availability

Support for this feature on Security Gateway is included starting from:

Check Point R80.10
Jumbo Hotfix Accumulator for R77.30 - since Take_221

Configuration

Policy

An encrypted archive, which Threat Emulation blade failed to decrypt, can be treated as a malicious file (fail-close policy), or a benign file (fail-open policy).
Configuration is performed through Threat Emulation Command Line Interface - the tecli command.
- To enable the feature:
  
  [Expert@HostName:0]# tecli advance archive enable_encrypted_archives 1
- To treat the archive as a malicious file (fail-close policy), run this command in the Expert mode:
  
  [Expert@HostName:0]# tecli advance error set archive_pass_protected error
- To treat the archive as a benign file (fail-open policy), run this command in the Expert mode:
  
  [Expert@HostName:0]# tecli advance error set archive_pass_protected fail_open
- To see the current configuration, run this command in the Expert mode:
  
  [Expert@HostName:0]# tecli advance archive show
User-Defined pass phrases and interesting words

You can configure unique passwords and interesting words to search for in the email body.

To add passphrases and interesting words to the pre-defined list of phrases, a dedicated file must be created.
1. Connect to the command line on the Security Gateway.
2. Log in to the Expert mode.
3. Create the $FWDIR/conf/additional_pass.conf file:
  
  [Expert@HostName:0]# touch $FWDIR/conf/additional_pass.conf
4. Edit the file:
  
  [Expert@HostName:0]# vi $FWDIR/conf/additional_pass.conf
5. Add the following template with your desired passwords (each enclosed in the double-quotes), separated by commas. Do not add spaces between the passwords.
  
  Example:
```
{
  "passwords" : ["MyPass1","MyPass2","MyPassN"],
  "phrases" : ["password","Password","Pass","pass","codigo","key","pwd"]
}
```
6. Save the changes in the file and exit Vi editor.

Known Limitations

This feature is supported only English characters in the password file.

In case of a failure, a log in SmartView Tracker / SmartLog shows:

Reason:	`Failed to process the file`
File Name:	`<Name_of_Archive_File.7z>`
File Type:	`7z`
Product:	`Threat Emulation`
Description:	`Damaged files: <Name_of_Compressed_File_inside_Archive>`
Verdict:	`Error`

The feature can support up to 550 passwords without any problems.

Above 550 passwords is also possible, but under these restrictions:
1. You need to edit the Archive Tool configuration file to allow more passwords and to increase the timeout (the description is below) because trying passwords can increase the time it takes to emulate the file
2. The more passwords you try (above the 550), the more time it takes to handle the archive. This can cause a timeout in Threat Emulation.
We do not recommend using more than 550 static passwords.

If the archive came as an email attachment in MTA mode, the Security Gateway applies a more efficient password guessing mechanism (in addition to the static passwords file).

Introduction

Availability

Configuration

Known Limitations

Related Solutions