This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Giancarlo_Cotta
Contributor
‎2018-06-15 11:22 AM

Encrypted files on Sandblast agent

Hi

Please, I need to understand whats happen in Sand Blast Agent with encrypted files protected by a password.

I suppose:

1) Encrypted file are considered malicious and not sent to the user.

2) Encrypted file are opened in Threat emulation, but before the emulation is necessary that the receiver user know the             password to open the file. Is necessary to put this password in the configuration of the Sanblast agent or  in    the        configuration of the Threat Emulator to open the file during the threat emulation operation.

One of these is correct? Or there is another one way?


Thanks a lot

Giancarlo

7 Replies
Vincent_Bacher
Advisor
‎2018-06-15 12:15 PM

afaik you can block or allow encrypted attachments / files, don't know anything about decryption of those files  

and now to something completely different
0 Kudos
Giancarlo_Cotta
Contributor
‎2018-06-15 12:38 PM
In response to Vincent_Bacher

Ok, but I cannot understand what is the behavior of the Threat Emulation and Threat Extraction with encrypted files.

All file protected with a password are considered malicious?

All encrypted files are considered malicious always malicious? 

If i need to receive password protected file, but I would like to emulate this file before send the file to end user can the Sandblast emulate this file?

Thanks

0 Kudos
Vincent_Bacher
Advisor
‎2018-06-15 12:43 PM
In response to Giancarlo_Cotta

Regarding password protected archives there is sk112821

and now to something completely different
Charris_Lappas
Collaborator
‎2018-06-19 08:50 AM

Hi,

Support for encrypted archives exist (by scanning the subject or body of email).

Support for password protected documents (technically encrypted with a password) does not and this is where CP should focus.

TE cannot break the password or encryption but once the file is delivered to the endpoint client and the user enters the password, the behaviour of the file should be analysed from the SandBlast Agent. At this point it doesn't.

Thanks,

Charris 

Giancarlo_Cotta
Contributor
‎2018-06-19 12:18 PM
In response to Charris_Lappas

Ok, thanks a lot!

Giancarlo

0 Kudos
Giancarlo_Cotta
Contributor
‎2018-06-20 01:26 AM
In response to Charris_Lappas

How many are the ways to emulate the encrypted archive?

The Threat Emulator wait that the user put the password in the encrypted file. Ok, this is a way to emulate the files.

But...

In sk112821 I can see that is possible to configure a file with passwords to open certain type of files.

I suppose these passwords were previoulsy shared from the sender of the mail with the Threat emulator administrator.

Are the two ways correct or I'm wrong?

Thansk a lot

Giancarlo

0 Kudos
Charris_Lappas
Collaborator
‎2018-06-20 04:47 AM
In response to Giancarlo_Cotta

The sk112821 discuss about password protected archives only i.e ZIP, not password protected files i.e .docx

In regards to SK112821 yes, you need to supply those interesting words before the emulation. One practice is to have a predefined password set for your communications. This is an issue on management but a workable solution.

Unfortunately once a file/archive is password protected/encrypted there are not many options to analyse the content.

Thanks

Charris