Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 0 subscribers
  • Views 20027 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Encrypted attachments getting quarantined (PureMessage for Unix)

Pubudu

Lately I have observed that Encrypted (Password protected) attachments are getting quarantined as "Suspect" under the policy rule "Quarantine mail containing suspicious attachments".

The file types are quarantined are,

* Microsoft excel .xlsx   or  .xls

* Zip archives   .zip

My users are used to send password protected excel files as a precaution on files containing sensitive data such as account details, etc.

This is a recent development and I am pretty sure that this was not enforced previously on these type of attachments. Encrypted PDF documents are still passing through without any issues. I wonder if anyone else have come across this and I strongly believe this change should not have been made.

Kind regards,

Pubudu.

:1681


This thread was automatically locked due to age.
Parents
  • 0

    Hi Pubudu,

    I hope your users are using better encryption then what winzip and excel provide. It's pretty weak and easy to break.

    That being said, I have added to my policy the following. This is just after the suspicious attachment statement:

          # attr NAME=If Cannot Scan Attachment
            if allof(pmx_cantscan,
                     address :all :memberof :comparator "i;ascii-casemap" ["to",
                                                                           "cc",
                                                                           "bcc"]
                             ["encrypted-archives"])
            {
                pmx_mark "pmx_reason" "CantScan";
            }

    You will notice I went a step further by creating a group called ``encrypted-archives'' that only a few people here are part of . It sounds like you don't mind if everyone is encrypting files, so you probably don't want that.

    I hope that helps :-)

    Erric

    :1696
Reply
  • 0

    Hi Pubudu,

    I hope your users are using better encryption then what winzip and excel provide. It's pretty weak and easy to break.

    That being said, I have added to my policy the following. This is just after the suspicious attachment statement:

          # attr NAME=If Cannot Scan Attachment
            if allof(pmx_cantscan,
                     address :all :memberof :comparator "i;ascii-casemap" ["to",
                                                                           "cc",
                                                                           "bcc"]
                             ["encrypted-archives"])
            {
                pmx_mark "pmx_reason" "CantScan";
            }

    You will notice I went a step further by creating a group called ``encrypted-archives'' that only a few people here are part of . It sounds like you don't mind if everyone is encrypting files, so you probably don't want that.

    I hope that helps :-)

    Erric

    :1696
Children
No Data