Threat Emulation Blade Support for Password-Protected Archives

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk112821
Technical Level
Product	Threat Emulation
Version	R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
OS	Gaia
Platform / Model	All
Date Created	20-Aug-2016
Last Modified	16-Dec-2022

Solution

Introduction

Starting in Engine Update 6.1 (released on 25 Sep 2016), support for password-protected archives was added to Threat Emulation blade.
Threat Emulation blade tries to decrypt the protected archive and unpack it based on a preconfigured dictionary of passwords.

If successful, the Threat Emulation blade handles the archive as a normal archive and continue with the normal flow.
If it fails to decrypt, the Threat Emulation blade treats the archive according to the configured policy (see the "Configuration" section below).

Availability

Support for this feature on Security Gateway is included starting from:

Check Point R80.10
Jumbo Hotfix Accumulator for R77.30 - since Take_221

Configuration

This feature has to be configured on all systems doing Threat Prevention.

If a dedicated Sandblast appliance is used only as a Threat Emulation device no configuration is needed on the Sandblast appliance.

If the Sandblast is used as inline MTA for example it is doing Threat Prevention and a configuration is needed here as well.

Policy

An encrypted archive, which Threat Emulation blade failed to decrypt, can be treated as a malicious file (fail-close policy), or a benign file (fail-open policy).
Configuration is performed through Threat Emulation Command Line Interface - the tecli command.
- To enable the feature:
  
  [Expert@HostName:0]# tecli advance archive enable_encrypted_archives 1
- To treat the archive as a malicious file (fail-close policy), run this command in the Expert mode:
  
  [Expert@HostName:0]# tecli advance error set archive_pass_protected fail_close
- To treat the archive as a benign file (fail-open policy), run this command in the Expert mode:
  
  [Expert@HostName:0]# tecli advance error set archive_pass_protected fail_open
- To see the current configuration, run this command in the Expert mode:
  
  [Expert@HostName:0]# tecli advance archive show
  [Expert@HostName:0]# tecli advance error show
User-Defined pass phrases and interesting words

You can configure unique passwords and interesting words to search for in the email body.

To add passphrases and interesting words to the pre-defined list of phrases, a dedicated file must be created.
1. Connect to the command line on the Security Gateway.
2. Log in to the Expert mode.
3. Create the $FWDIR/conf/additional_pass.conf file:
  
  [Expert@HostName:0]# touch $FWDIR/conf/additional_pass.conf
4. Edit the file:
  
  [Expert@HostName:0]# vi $FWDIR/conf/additional_pass.conf
5. Add the following template with your desired passwords (each enclosed in the double-quotes), separated by commas. Do not add spaces between the passwords.
  
  Example:
```
{
  "passwords" : ["MyPass1","MyPass2","MyPassN"],
  "phrases" : ["password","Password","Pass","pass","codigo","key","pwd"]
}
```
6. Save the changes in the file and exit Vi editor.
Once a password from the file or a password found in the mail body is used successfully to decrypt an archive, it is stored in an internal database and used to decrypt future archives as well.

Known Limitations

This feature is supported only English characters in the password file.

In case of a failure, a log in SmartView Tracker / SmartLog shows:

Reason:	`Failed to process the file`
File Name:	`<Name_of_Archive_File.7z>`
File Type:	`7z`
Product:	`Threat Emulation`
Description:	`Damaged files: <Name_of_Compressed_File_inside_Archive>`
Verdict:	`Error`

The feature can support up to 550 passwords without any problems.

Above 550 passwords is also possible, but under these restrictions:
1. You need to edit the Archive Tool configuration file to allow more passwords and to increase the timeout (the description is below) because trying passwords can increase the time it takes to emulate the file
2. The more passwords you try (above the 550), the more time it takes to handle the archive. This can cause a timeout in Threat Emulation.
We do not recommend using more than 550 static passwords.

If the archive came as an email attachment in MTA mode, the Security Gateway applies a more efficient password guessing mechanism (in addition to the static passwords file).
There is currently no way to remove specific passwords. If a password should be removed, the database file ($FWDIR/conf/password_manager_db/password_manager_db.sqlite) can be deleted.

As long as the passwords are in the configuration file ($FWDIR/conf/additional_pass.conf) they'll be used the next time an encrypted archive is processed.

Introduction

Availability

Configuration

Known Limitations

Related Solutions