Hi,
due to current threads like Locky etc, we want to block all incoming Office documents by file extension.
I've tested this with a simple BAT file which I've send to myself - of course from an external email domain.
As expected it get's quaratined cause of extension (BAT).
Now, we want to give the users a possible solution to still receive Office documents by email - we'd like to go the way Sophos recommends in his Whitepaper.
(Link for the German version: web.sophos.com/.../92aaef928aee3e5ff8216622c999157c.pdf
Excerpt of the relevant part in German:
Alternativ kann er den Geschäftspartner bitten, zukünftig alle Dokumente in ein passwortgeschütztes ZIP-Archiv einzupacken, dessen Passwort beide während dieses Gespräches ausmachen. Solche passwortgeschützte ZIP-Archive werden nie in E-MailQuarantäne gestellt,
Which is (roughly) in english:
The email sender should take all Office documents and ZIP them in an encrypted file. The password should be told by phone. Those ZIP-encrypted archives will never be sent to Quarantine...
But they will!
I took the same mentioned BAT file and zipped it - blocked reason Extension (BAT)
Same file zipped in an encrypted archive - same result, blocked with reason Extension (BAT).
Finally I've put the file in a folder and zipped the folder with an encrypted ZIP - same result :(
Is this a bug? And the UTM does not really decrypt the archive, but looks into the contained files?
How should one achieve what Sophos recommends?
Or am I completely looking in the wrong direction?
Thanks for hints and ideas.
BR
Michael
BTW: We are using Sophos UTM 9 (9.355-1) Appliance with Fullguard Subscription.
This thread was automatically locked due to age.
