Detection of password-protected 7-zip archives


This article applies to:

  • Trustwave MailMarshal (SEG) 6.4 and above
  • Trustwave ECM/MailMarshal Exchange 7.X
  • WebMarshal 6.X and 7.X

Symptoms:

  • Attempting to process a password protected archive file in 7-zip (.7z) encrypted format
  • The file is not detected as encrypted
  • The unpacker returns a generic error: exit code (2) 
    • In MailMarshal by default the message is quarantined in a dead letter folder
    • In WebMarshal by default the file is blocked by a rule

Resolution:

Current Trustwave File Type identification recognizes 7-Zip Encrypted Archives as a distinct type. You can base policy on this type identification.

The updated File Type identification has been published through automatic updates (for installations with current maintenance), or included in the released software, for the following product versions:

  • SEG 7.3.6 and 7.5.1 through 7.5.8 (File Type DLL 7.14.3 or later 7.14.X)
  • SEG 8.0.1 and above (File Type DLL 8.0.1 or later)
  • WebMarshal 7.X: (File Type DLL 8.2.2 or later, published February 28, 2019 or later).

Earlier versions:

Product versions that do not use the updated File Type DLL will identify all 7-zip format archives as generic 7-zip archives. This includes SEG 7.3.5 and below, WebMarshal 6.X, and all ECM releases.

When the unpacking process attempts to open these files, it returns a "fatal" error (exit code 2), the same error returned when the archive is corrupt.

Workarounds for Earlier Versions:

  • In MailMarshal SMTP 6.9 and above, you can choose to release or redirect deadlettered messages automatically using a dead letter rule.
    • You should limit this automated activity as narrowly as possible, by the specific sender, recipient, or other criteria.
  • In WebMarshal, you can choose to permit download or upload of files that cannot be unpacked, with or without a warning.

 

Notes:

  • This issue applies only to archives encrypted in the 7-zip encryption format. It does not apply to archives in other formats such as RAR encrypted and ZIP encrypted files.
  • It is not possible to create a custom file type (filetype.cfg entry) for these files.
  • Warning: Regardless of the file type identification, the content of encrypted passworded files cannot be scanned and the files could include malicious or inappropriate content. Trustwave recommends that you do not implement a catch-all rule to pass these files through. Review the affected files carefully before releasing them to end users.
    • The same warning applies to all password protected files.

 

Last Modified 5/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle14468.aspx