Hello Team!
we finally solved that mystery. interesting is .. Check Point TE/TX solution is already capable of processing digitally signed emails!
there are three scenarios:
1. you send a digital singed email with an unsigned document in it. This will bypassed if you set "allow encrypted email" in the SmartConsole / Threat Prevention Profile / Threat Extraction / "Encrypted Allow"
but this can be dangerous because the attachment will just be bypassed. And not people do have a digital signature to signed their email!
2. you send a normal mail (unsigned) but the attachment with the email is digitally signed. you applied setting like it scenario 1.
The attachment will get processed by TX and destroyed.
3. You have a digital signed email and digital attachment. More or less scenario 1 strikes again and it a bypass regardless what kind of attchment you send! Highly dangerous in my eyes!
solution provided by TAC:
on all affected machines: Security GW (MTA) and Sandblast change this:
1. We need to change the values in both of these files:
* /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf
* /var/log/jail/opt/CPsuite-R81.10/fw1/conf/file_convert.conf
2. Please locate " ignore_signed_pdfs (0) , change the value, in both files to (1), save and exit the file.
3. Redirect PDF document to the sanitization engine in /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf:
...
:sanitization_engine_file_types (
: (docx)
: (doc)
: (docm)
: (xls)
: (xlsx)
: (xlsm)
: (rtf)
: (pdf) #add this line
)
) #EOF
4. fw kill scrubd
this has helped us to send digital signed emails in all scenarios and keep the digital signature.
what we did no achieve is to digitally sign a malicious PDF and send it through Sandblast appliance.