Sophos XG Firewall, Sophos UTM, PureMessage for Unix, Sophos Web Appliance: OpenPGP/GPG detected as encrypted

Sophos XG Firewall, Sophos UTM, and PureMessage for Unix now detects “OpenPGP/GPG” files as encrypted.

The following sections are covered:

Applies to the following Sophos products and versions

PureMessage for Unix

Sophos UTM Software Appliance

Sophos Firewall XG Software

Sophos Web Appliance

Systems that have upgraded to version 3.74 and above should ignore the rest of this section as this new behavior has been deprecated.

This is a new behavior in version 3.72.1 of the Sophos Engine giving customers more flexibility in their rules for handling these messages. Because of this you may notice PGP emails are being detected and blocked by your policy.

The following checks can detect the OpenPGP/GPG:

  • ‘pmx_suspect_attachment’
  • ‘pmx_attachment_name’
  • ‘pmx_attachment_true_filetype’
  • ‘pmx_attachment_type’
  • ‘pmx_credit_card’
  • ‘pmx_phrase’

If this is not the behavior you are looking for then you will need to create a “cantscan” check and handle the message. This article describes the steps for creating a “cantscan” rule on PureMessage for Unix

The following is example policy.siv code to allow un-scannable files for the pmx_suspect_attachment.

if pmx_suspect_attachment :tft {

# Either there is a suspect attachment OR

# the AV engine encountered an error while classifying the attachments

if pmx_cantscan {

# the AV engine encountered an error while classifying the attachments

pmx_replace_header :index 0 "Subject" "[POTENTIAL SUSPECT ATTACHMENT] %%SUBJECT%%";

pmx_mark "pmx_reason" "Unscannable";

} else {

# There is a suspect attachment

pmx_mark "pmx_reason" "Suspect";

pmx_quarantine "Suspect";

stop;

}

} else {

# there is no suspect attachment

}

This affects the UTM’s Web and Email Proxy.

Email

Disable quarantine of messages with encrypted or unscannable attachments .

  1. Navigate to Email Protection > SMTP > Malware.
  2. Uncheck Quarantine unscannable and encrypted content.
  3. Click Apply.

Web

Navigate to Web Protection > Filtering Options > Misc and uncheck Block unscannable and encrypted files or create exceptions for each site.

This affects the XG’s Web and Email Proxy.

Web

This behavior perceived in the XG Firewall when the action for scan failure is set to Block (which is the default setting for best protection), and a filetype rule is applied to the web policy. To mitigate this behavior do one of the following:

  • Do not apply the filetype rule on the policy.
  • Change Action on Malware Scan Failure to Allow. This is a global setting and may be a security risk.
  • Create Exceptions for Malware and Content Scanning under Web > Exceptions for each site you would like the bypass this security:

.

Email

When Malware Protection and File Protection are both enabled the Email Protection feature will block GPG signed emails as unscannable/encrypted. To remedy this situation uncheck Quarantine unscannable content under Malware Protection.

To correct this issue for SWA add each site with GPG/PGP as trusted as shown in the screenshot below:

To globally disable this option, Navigate to Global Policy > Download Options and check Allow encrypted files.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Leave a Reply