Threat Emulation blade support for password protected archives
Introduction
Starting in Engine Update 6.1 (released on 25 Sep 2016), support for password protected archives was added to Threat Emulation blade.
Threat Emulation blade tries to decrypt the protected archive and unpack it based on a preconfigured passwords dictionary.
- If successful, Threat Emulation blade will handle the archive as normal archive and continue with normal flow.
- If it fails to decrypt, Threat Emulation blade will treat archive according to the configured policy (see the "Configuration" section below).
Availability
Support for this feature on Security Gateway is included in:
Configuration
-
Policy
An encrypted archive, which Threat Emulation blade failed to decrypt, can be treated as malicious file (fail-close policy), or benign file (fail-open policy).
Configuration is performed through Threat Emulation Command Line Interface - the tecli command.
-
To enable the feature:
[Expert@HostName:0]# tecli advance archive enable_encrypted_archives 1
-
To treat the archive as malicious file (fail-close policy), run this command in Expert mode:
[Expert@HostName:0]# tecli advance error set archive_pass_protected error
-
To treat the archive as benign file (fail-open policy), run this command in Expert mode:
[Expert@HostName:0]# tecli advance error set archive_pass_protected fail_open
-
To see the current policy, run this command in Expert mode:
[Expert@HostName:0]# tecli advance archive show
- User-Defined pass phrases and interesting words
User can pre-define unique passwords and interesting words to search passwords around them in the mail body.
To add pass phrases and interesting words to the pre-defined list of phrases, a dedicated file must be created.
- Connect to the command line on the Security Gateway.
- Log in to the Expert mode.
Create the $FWDIR/conf/additional_pass.conf file:
[Expert@HostName:0]# touch $FWDIR/conf/additional_pass.conf
[Expert@HostName:0]# vi $FWDIR/conf/additional_pass.conf
- Add the following template with your desired passwords between the double-quotes, separated by commas (without spaces between the passwords):
{
"passwords" : ["MyPass1","MyPass2","MyPassN"],
"phrases" : ["password","Password","Pass","pass","codigo","key","pwd"]
}
"passwords" - for passwords
"phrases" - for mail interesting words
- Save the changes and exit from vi editor.
Known Limitations
-
This feature is supported only for E-mail, and only when MTA is installed on the machine.
-
In case of a failure, log in SmartView Tracker / SmartLog will show:
| Reason: |
Failed to process the file |
| File Name: |
<Name_of_Archive_File.7z> |
| File Type: |
7z |
| Product: |
Threat Emulation |
| Description: |
Damaged files:
<Name_of_Compressed_File_inside_Archive> |
| Verdict: |
Error |
-
The feature can support up to 550 passwords without any problems.
Above 550 passwords is also possible, but under the below restrictions:
1. You need to edit the archive tool configuration file to allow more passwords and to increase the timeout (description below) because trying passwords can impact the opening time
2. As more passwords you try (above the 550) the more time it will take to handle the archive, and may result a timeouts in TE
I would not recommend using more than 550 static passwords.
Another thing the customer should know -
If the archive came as an email attachment in MTA mode we have more efficient password guessing mechanism that we perform (in addition to the static passwords file).
How to edit archive tool configuration:
1. Create the following file: $FWDIR/conf/tp_archive_tool_config.json
2. Add the following json to the file:
{
"timeout_second" : 30,
"max_pass_per_third_party" : {
"libarchive" : 100,
"p7zip" : 30,
"7zip" : 30
}
}
