cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1984
Views
0
Helpful
3
Replies

Detecting PGP SDA's

Any idea's out there on how to detect PGP self-decrypting archives?

I created a PGP SDA from a word doc with 26+ char passphrase.
Sophos does not detect that it is an encrypted file. Hence an added header showing encrypted is not placed on the msg.

Is this correct? If so, why? It should not be able to decrypt/AV scan the files etc.

Any help/idea's are appreciated.

3 Replies 3

kluu_ironport
Level 2
Level 2

If possible, can you email yourself this message that contains the PGP sda to yourself and grab the Internet headers? Can you paste those Internet headers here and remove any private information.

Looking at the Internet headers can shed some light on the issue.




Any idea's out there on how to detect PGP self-decrypting archives?

I created a PGP SDA from a word doc with 26+ char passphrase.
Sophos does not detect that it is an encrypted file. Hence an added header showing encrypted is not placed on the msg.

Is this correct? If so, why? It should not be able to decrypt/AV scan the files etc.

Any help/idea's are appreciated.

jaigill
Cisco Employee
Cisco Employee

PGP software supports the creation of "Self Decrypting Archive" files that are basically encrypted, zipped data wrapped in a windows executable. The idea is that a recipient without PGP software could run the executable, provide a passphrase, and access the encrypted contents.

Searching for 'exe' files should detect these archives. The MIME type is application/msdos-executable, and the file extension is by default .sda.exe.

If you need to distinguish these files from other "Executable", perhaps to allow these messages in when all other exes are blocked, you can body-contains or attachment-contains for these strings:

PGPSDA
PGPsda_Hidden_Window
SoftwarePGP CorporationPGP
PGPsda

(GNU 'strings' is a great tool for this)

I combined them with an attachment-filename rule to limit the scope of the search:
attachment-filename == "\.sda\.exe$"
body-contains("PGPSDA")
body-contains("PGPsda_Hidden_Window")

Donald Nash
Level 3
Level 3

I created a PGP SDA from a word doc with 26+ char passphrase.
Sophos does not detect that it is an encrypted file.

In general, you can't tell well-encrypted data from random noise, so you can't recognize it unless it has been tagged in some way. I don't know if the detection happens within Sophos itself or in some other part of AsyncOS, but it is my understanding that it only knows how to detect certain types of encryption. It can detect encryption either by spotting an appropriate MIME type (say, something that indicates PGP or S/MIME), or via content scanning that looks for some sort of in-line tag (like old-style non-MIME PGP messages, and maybe protected Excel or Word documents). It can't detect a PGP SDA via its MIME type because that shows it as being a DOS or Windows program. And evidently it doesn't know what to look for to identify one via content scanning.

It should not be able to decrypt/AV scan the files etc.

And indeed it doesn't decrypt it. Since it doesn't recognize the file as encrypted, it just scans it as-is. Yes, that's useless, but it doesn't know that.

Looks like someone else has already shown how to detect them via a filter script.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: