PGP software supports the creation of "Self Decrypting Archive" files that are basically encrypted, zipped data wrapped in a windows executable. The idea is that a recipient without PGP software could run the executable, provide a passphrase, and access the encrypted contents.
Searching for 'exe' files should detect these archives. The MIME type is application/msdos-executable, and the file extension is by default .sda.exe.
If you need to distinguish these files from other "Executable", perhaps to allow these messages in when all other exes are blocked, you can body-contains or attachment-contains for these strings:
I created a PGP SDA from a word doc with 26+ char passphrase. Sophos does not detect that it is an encrypted file.
In general, you can't tell well-encrypted data from random noise, so you can't recognize it unless it has been tagged in some way. I don't know if the detection happens within Sophos itself or in some other part of AsyncOS, but it is my understanding that it only knows how to detect certain types of encryption. It can detect encryption either by spotting an appropriate MIME type (say, something that indicates PGP or S/MIME), or via content scanning that looks for some sort of in-line tag (like old-style non-MIME PGP messages, and maybe protected Excel or Word documents). It can't detect a PGP SDA via its MIME type because that shows it as being a DOS or Windows program. And evidently it doesn't know what to look for to identify one via content scanning.
It should not be able to decrypt/AV scan the files etc.
And indeed it doesn't decrypt it. Since it doesn't recognize the file as encrypted, it just scans it as-is. Yes, that's useless, but it doesn't know that.
Looks like someone else has already shown how to detect them via a filter script.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...