Cisco Support Community
Community Member

RC4 versus AES encryption

Is there a difference between RC4 and AES encryption in terms of the Ironport being able to scan these for Virus ?

PDF's with RC4 are not being classed as encrypted and therefore not quarantined, however any with AES are unscannable and quarantined and we have to manually release these.

Is there a known difference ?

I know RC4 is not complex and is old, but just wondering if anyone knows the specifics of how the Ironport scans them.



Cisco Employee

RC4 versus AES encryption

Hello Juliet,

-Sophos behaviour for AES-

The Engine  does not support decrypting AES encryption within PDFs, hence issues an  encrypted return code if StrongPDF is configured. A file can contain AES  encrypted objects with the default password, even if a user has not set  their own password to the file - which is likely to be what is  happening in this case.

To explain the differences with  128bit-RC4 encrypted pdfs, Sophos can generally decrypt and scan them  using the default key so no error is returned. So in summary, Sophos  engine is likely to return ENCRYPTED for AES encryption within PDFs even  when no password has been set.

It is correct that sophos cannot scan the object  encrypted using AES, though sophos can still add detection for a  malicious file, even if part of that file cannot be scanned for some  reason. The error is only for the only AES encrypted object, additional  parts of the file will be scanned though Sophos would not need to scan  the whole PDF file in order to detect the PDF as viral.

In  summery, Sophos will provide protection again any possible PDF threats.  May I suggest if you have any concern about protection against future  threats,  it is always best to have second layer of AntiVIrus scanning   which can run either on ESA appliances, mail server or end user client  machines.

Hope informatin above helps.



CreatePlease to create content