04-12-2006 05:03 PM
Any idea's out there on how to detect PGP self-decrypting archives?
I created a PGP SDA from a word doc with 26+ char passphrase.
Sophos does not detect that it is an encrypted file. Hence an added header showing encrypted is not placed on the msg.
Is this correct? If so, why? It should not be able to decrypt/AV scan the files etc.
Any help/idea's are appreciated.
03-05-2007 03:50 PM
If possible, can you email yourself this message that contains the PGP sda to yourself and grab the Internet headers? Can you paste those Internet headers here and remove any private information.
Looking at the Internet headers can shed some light on the issue.
Any idea's out there on how to detect PGP self-decrypting archives?
I created a PGP SDA from a word doc with 26+ char passphrase.
Sophos does not detect that it is an encrypted file. Hence an added header showing encrypted is not placed on the msg.
Is this correct? If so, why? It should not be able to decrypt/AV scan the files etc.
Any help/idea's are appreciated.
04-04-2007 11:07 PM
PGP software supports the creation of "Self Decrypting Archive" files that are basically encrypted, zipped data wrapped in a windows executable. The idea is that a recipient without PGP software could run the executable, provide a passphrase, and access the encrypted contents.
Searching for 'exe' files should detect these archives. The MIME type is application/msdos-executable, and the file extension is by default .sda.exe.
If you need to distinguish these files from other "Executable", perhaps to allow these messages in when all other exes are blocked, you can body-contains or attachment-contains for these strings:
PGPSDA
PGPsda_Hidden_Window
SoftwarePGP CorporationPGP
PGPsda
(GNU 'strings' is a great tool for this)
I combined them with an attachment-filename rule to limit the scope of the search:
attachment-filename == "\.sda\.exe$"
body-contains("PGPSDA")
body-contains("PGPsda_Hidden_Window")
04-05-2007 07:29 PM
I created a PGP SDA from a word doc with 26+ char passphrase.
Sophos does not detect that it is an encrypted file.
It should not be able to decrypt/AV scan the files etc.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: