Customer was able to send the attached file through sandblast with AV/TE/TEX enabled ...
if the file is renamed to .7z - it turns to be a password-protected archive (passwd: TestCase02) with vbs script ...
What have we done wrong ?
Note: I have removed the attachment to the original post.
vbs files are only emulated when received via email (i.e. when SandBlast is configured as an MTA).
When they are received via HTTP/HTTPS, they are not emulated.
This is documented here: File types supported by SandBlast Threat Emulation
What is the policy on password encrypted files?
For this site? I removed the file because it contains malware.
How Threat Extraction handles them? It depends on your profile setting.
The policy is to block encrypted file attachments.
However this file has passed through TE/TEX and user can download original file.
If the original file was an archive (I can´t see it from your post only) it is currently not supported with TX hence your "Encrypted content block" TX feature does not apply. Archive support for TX is on the roadmap.
That said if received via email it should have been emulated and catched by TE as Daemon already mentioned.
If this was not the case please open a support ticket with your information.
Can you clarify the rename to .7z remark in your question. Were you using another extension on the file and was that sufficient to bypass TE/TEX?
Please think of us of people who know nothing about your setup (which is true) and describe the steps to reproduce this exactly.
Retrieving data ...