This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ausnahme(n) für "Quarantine unscannable and encrypted Content"

Hallo Forengemeinde!


Bislang habe ich die o.g. Einstellung aktiv.


Bedingt durch die DSGVO kommen aber mehr und mehr verschlüsselte ZIP-Archive hier an (ich vermute mit Daten, die bislang einfach unverschlüsselt gesendet worden sind).
Alle diese Mails landen in der Quarantäne und können nicht durch die Nutzer selbst freigegeben werden (eigentlich ja auch richtig so). Das führt dazu, dass ich als Admin mehr und mehr Zeit damit verbringe, Mails freizugeben.

Da ich die Funktion nur sehr ungern komplett abschalten möchte, daher die Frage:
Gibt es die Möglichkeit, hier Ausnahmen für bestimmte Absender und/oder bestimmte Empfänger zu setzen?
Wie handhabt ihr das in euren Umgebungen (davon ausgehend, dass ich nicht der einzige mit diesem Problem bin)?

Vielen Dank im Voraus!

TJ



This thread was automatically locked due to age.
  • any news or workarounds on that?

    we have the same issues and whitelisting the sender with "skip extension blocking" doesnt help, because its a different block reason.

  • Hi!

    Unfortunately not, I still release every due to unscannable Content quarantined E-Mail by Hand...  :-(

    TJ

  • For your management, you might need to explain that password-protected files (including SPX) have these problems, in order of importance:

    1. Password-protected files have no breakin evasion.   
      If the file is intercepted, the attacker can crank up an automated process to guess infinitely until the password is found.   I don't know how to write or find such a program, but I assume that the code is available on the dark web. 
      HTTPS prevents a middleman from intercepting messages during transmission, but you have to study the message headers to know whether a particular message was HTTPS-protected at each hop.   
      Even then, many message flows originate or terminate on a hosting service, or relay through a cloud-based spam filter.  In these cases, neither sender nor recipient can ensure that a password-protected file was not intercepted at one of these hops.

    2. Password-protected files have no password recovery.   If the password is forgotten, the data is lost forever.

    3. Password-protected files complicate file management.  If the contents are not immediately extracted to a non-password file, you run the risk of having many files with many passwords, with resulting confusion about which password is associated with which file.  For zip files, immediate extraction is relatively easy and likely to happen.   For SPX, removing the password is more complicated, so it is more likely to be omitted.

    On the other hand, I wonder if password-protected files are actually used by the bad guys, at least those doing random attacks.   This type of threat requires the attacker to celiver the password-protected file and the password at relatively the same time, as well as convincing the user to open the file using the password.

    Are you seeing files trapped by your defenses that you discard rather than forwarding to the requested recipient?

    Zip files without passwords are a different matter, since bad guys have been using zip file attacks for a long time.

    S/MIME and PGP encryption methods are even more difficult for an attacker to use, because they require configuration and information sharing between sender and receiver.   Unauthorized usage of these technologies are likely to indicate an insider threat.

  • Thank you!

    Your Post indicates (in my eyes) that it might not be neccessary to block encrypted ZIP-Files ("are actually used by the bad guys").

    I do not think so. And I believe SOPHOS also doesn´t think so. After all just a few days ago I got an E-Mail from SOPHOS where they announce, that "Block encrypted Content" will be the Default Setting in comming FW-Releases. And they recommend to activate this Setting Right now.

    OF COURSE encryptes ZIP-Files also have disadvantages, but at the moment this is a (may be the only) simple way to encrypt and decrypt files sent by E-Mail WITHOUT the Need to install additonal and the same Software on both sides (ZIP-Capability should be available on every Computer "out of the box").

    Therefor it would be REALLY NICE to have the opportunity to define Excetions.

    TJ