Starting in Engine Update 6.1 (released on 25 Sep 2016), support for password-protected archives was added to Threat Emulation blade. Threat Emulation blade tries to decrypt the protected archive and unpack it based on a preconfigured dictionary of passwords.
If successful, the Threat Emulation blade handles the archive as a normal archive and continue with the normal flow.
If it fails to decrypt, the Threat Emulation blade treats the archive according to the configured policy (see the "Configuration" section below).
Availability
Support for this feature on Security Gateway is included starting from:
An encrypted archive, which Threat Emulation blade failed to decrypt, can be treated as a malicious file (fail-close policy), or a benign file (fail-open policy). Configuration is performed through Threat Emulation Command Line Interface - the tecli command.
[Expert@HostName:0]# vi $FWDIR/conf/additional_pass.conf
Add the following template with your desired passwords (each enclosed in the double-quotes), separated by commas. Do not add spaces between the passwords.
The feature can support up to 550 passwords without any problems.
Above 550 passwords is also possible, but under these restrictions:
You need to edit the Archive Tool configuration file to allow more passwords and to increase the timeout (the description is below) because trying passwords can increase the time it takes to emulate the file
The more passwords you try (above the 550), the more time it takes to handle the archive. This can cause a timeout in Threat Emulation.
We do not recommend using more than 550 static passwords.
If the archive came as an email attachment in MTA mode, the Security Gateway applies a more efficient password guessing mechanism (in addition to the static passwords file).