パスワード保護ファイル分析(PPFA)の導入

はじめに

このドキュメントでは、Eメールセキュリティアプライアンス(ESA)バージョン14.Xに追加された新しいパスワード保護ファイル分析(PPFA)について説明します。

前提条件

要件

ESAの概念と設定に関する知識があることが推奨されます。

使用するコンポーネント

このドキュメントの情報は、AsyncOS for ESA 14.0以降に基づくものです。

このドキュメントの情報は、特定のラボ環境にあるデバイスに基づいて作成されました。このドキュメントで使用するすべてのデバイスは、クリアな（デフォルト）設定で作業を開始しています。本稼働中のネットワークでは、各コマンドによって起こる可能性がある影響を十分確認してください。

背景説明

以前は、パスワードが不明なため、パスワードで保護されたドキュメントまたはアーカイブの添付ファイル（PDF、Doc、ZIPなど）の内容を分析できませんでした。

PPFAの導入により、パスワードで保護された添付ファイルを含む電子メールを分析して、悪意のあるアクティビティや、パスワードがメール本文に存在する場合のデータプライバシーを検出できます。

サポートされる形式と言語

サポートされているフォーマットのリストを次に示します。

• PDF
• MS Officeファイル

doc/x 2007 ～ 2019/doc 2002 ～ 2004

xls/x 2007 ～ 2019年

ppt/x 2007 ～ 2019年

• アーカイブ

zip、rar、7z

サポートされている言語の一覧は次のとおりです。 

   

考慮事項

PPFAはデフォルトで無効になっています。

パスワードで保護された添付ファイルは、現在、メール本文にパスワードが存在する場合にのみ分析できます。パスワードでは大文字と小文字が区別され、「スペース」は認識されません。 

adminが提供する最大5つのパスワードのリストがサポートされるようになりました。

設定手順

グラフィカル ユーザ インターフェイス（GUI）

GUIからPPFAを設定するには、Security Service > Scan Behavior > Edit Global Settings > Scanning of Password-protected Attachmentsの順に移動し、Inbound Mail Traffic/Outbound Mail TrafficまたはBoth >Submit >Commitの順に選択します。

コマンドライン インターフェイス（CLI）

CLIからPPFAを設定するには、コマンドscanconfig > PROTECTEDATTACHMENTCONFIG > Commitを実行します。

(ESA_CLI) (SERVICE)> scanconfig

NOTICE: This configuration command has not yet been configured for the current cluster mode (Machine esa1.lab.cisco.com).

What would you like to do?
1. Switch modes to edit at mode "Cluster ESA_BETA_CLUSTER".
2. Start a new, empty configuration at the current mode (Machine esa1.lab.cisco.com).
3. Copy settings from another cluster mode to the current mode (Machine esa1.lab.cisco.com).
[1]>


There are currently 5 attachment type mappings configured to be SKIPPED.

Choose the operation you want to perform:
- NEW - Add a new entry.
- DELETE - Remove an entry.
- SETUP - Configure scanning behavior.
- IMPORT - Load mappings from a file.
- EXPORT - Save mappings to a file.
- PRINT - Display the list.
- CLEAR - Remove all entries.
- SMIME - Configure S/MIME unpacking.
- SAFEPRINT - Configure safeprint settings.
- PROTECTEDATTACHMENTCONFIG - Scan password protected attachments.
- CLUSTERSET - Set how scanconfig is configured in a cluster.
- CLUSTERSHOW - Display how scanconfig is configured in a cluster.
[]> PROTECTEDATTACHMENTCONFIG

Scanning of password-protected attachments for inbound mails: enabled.
Scanning of password-protected attachments for outbound mails: enabled.

Do you want to scan password-protected attachments for inbound mails? y/n [Y]>

Do you want to scan password-protected attachments for outbound mails? y/n [Y]>

Scan password protected attachments configuration unchanged.

電子メール本文から抽出されるパスワードの最大数を増やすには、CLIで隠しコマンド「scanconfig > password_list_size」を使用できます。最大10個のパスワードを設定できます。

(ESA_CLI) (SERVICE)> scanconfig
There are currently 5 attachment type mappings configured to be SKIPPED.

Choose the operation you want to perform:
- NEW - Add a new entry.
- DELETE - Remove an entry.
- SETUP - Configure scanning behavior.
- IMPORT - Load mappings from a file.
- EXPORT - Save mappings to a file.
- PRINT - Display the list.
- CLEAR - Remove all entries.
- SMIME - Configure S/MIME unpacking.
- SAFEPRINT - Configure safeprint settings.
- PROTECTEDATTACHMENTCONFIG - Scan password protected attachments.
- CLUSTERSET - Set how scanconfig is configured in a cluster.
- CLUSTERSHOW - Display how scanconfig is configured in a cluster.
[]> password_list_size

Enter maximum number of passwords to process:
[5]> 1000

Value must be an integer from 1 to 10.

Enter maximum number of passwords to process:
[5]> 10

Password list size is changed.

トラブルシューティングと検証

この例では、条件を持つコンテンツフィルタは次のようになります。

1. 添付ファイルのコンテンツに「test」と
2. 添付ファイルがパスワードで保護されている場合

アクションはログ「!!!!!file is passwordprotected!!!!!!!!」です。

CLIからの正常なプロセスの確認

a) mail_logsのCLIで、次の内容を確認できます。

Wed Feb 24 12:11:59 2022 Info: Start MID 22178287 ICID 122555
Wed Feb 24 12:11:59 2022 Info: MID 22178287 ICID 122555 From: 
     
     
       Wed Feb 24 12:11:59 2022 Info: MID 22178287 ICID 122555 RID 0 To: 
      
        Wed Feb 24 12:11:59 2022 Info: MID 22178287 using engine: SPF Verdict Cache using cached verdict Wed Feb 24 12:11:59 2022 Info: MID 22178287 SPF: helo identity postmaster@[10.0.201.16] None Wed Feb 24 12:11:59 2022 Info: MID 22178287 using engine: SPF Verdict Cache using cached verdict Wed Feb 24 12:11:59 2022 Info: MID 22178287 SPF: mailfrom identity test@lab.cisco.com Pass (v=spf1) Wed Feb 24 12:11:59 2022 Info: MID 22178287 using engine: SPF Verdict Cache using cached verdict Wed Feb 24 12:11:59 2022 Info: MID 22178287 SPF: pra identity test@lab.cisco.com None headers from Wed Feb 24 12:11:59 2022 Info: MID 22178287 DMARC: Message from domain lab.cisco.com, DMARC pass (SPF aligned True, DKIM aligned False) Wed Feb 24 12:11:59 2022 Info: MID 22178287 DMARC: Verification passed Wed Feb 24 12:11:59 2022 Info: MID 22178287 Message-ID '<4be194cc-4c95-9d15-6528-81a05dc56a66@lab.cisco.com>' Wed Feb 24 12:11:59 2022 Info: MID 22178287 Subject ppfa test with xls Wed Feb 24 12:11:59 2022 Info: MID 22178287 SDR: Domains for which SDR is requested: reverse DNS host: Not Present, helo: [10.0.201.16], env-from: lab.cisco, header-from: lab.cisco.com, reply-to: Not Present Wed Feb 24 12:11:59 2022 Info: MID 22178287 SDR: Consolidated Sender Reputation: Tainted, Threat Category: N/A, Suspected Domain(s) : test@lab.cisco.com. Youngest Domain Age: 4 months 14 days for domain: test@lab.cisco.com Wed Feb 24 12:11:59 2022 Info: MID 22178287 SDR: Tracker Header : 1+lIjVgkzfH9oTTP+SaBrzZC3Gs6TTYhJbW8D/pjF0eP1U48Yn65OgvVF9VjL6RgIIYi/H6sTg4VSq/leHowYXwYz/1wmYQCDwFFhTTfkLqs/GuqB1ynXwqZRXi2TiSkkHHrJbo+6IUpze9pVWWlgvZomvY7LindREsvoMzHCYesMkNci5Ko0u0m9D1Fz5SoCuVsofk0dbf9rjydhcP4aGxNOTd99njpfkGqdTbZIBv1mBsIS5fRYaDSEEntbcJkuVq3V5ShYK2HZPfKAbzllBxstwYWM0kRe8uIFfiGuCFqDtPaQ1Fb2avNo1MKwLKL Wed Feb 24 12:11:59 2022 Info: MID 22178287 ready 22082 bytes from 
       
         Wed Feb 24 12:11:59 2022 Info: LDAP: Masquerade query LDAP.masquerade MID 22178287 address test@lab.cisco.com to test@lab.cisco.com Wed Feb 24 12:11:59 2022 Info: LDAP: Masquerade query LDAP.masquerade MID 22178287 address test@lab.cisco.com to test@lab.cisco.com Wed Feb 24 12:11:59 2022 Info: MID 22178287 attachment 'testfile.xlsx' Wed Feb 24 12:12:01 2022 Info: MID 22178287 matched all recipients for per-recipient policy test1 in the inbound table Wed Feb 24 12:12:04 2022 Info: MID 22178287 interim verdict using engine: CASE spam negative Wed Feb 24 12:12:04 2022 Info: MID 22178287 using engine: CASE spam negative Wed Feb 24 12:12:04 2022 Info: MID 22178287 interim AV verdict using McAfee ENCRYPTED Wed Feb 24 12:12:04 2022 Info: MID 22178287 interim AV verdict using Sophos ENCRYPTED Wed Feb 24 12:12:04 2022 Info: MID 22178287 antivirus encrypted Wed Feb 24 12:12:04 2022 Info: MID 22178287 AMP file reputation verdict : UNKNOWN(File analysis pending) Wed Feb 24 12:12:04 2022 Info: MID 22178287 SHA d1e67e9640c598162b891028d967d2e5621d0c1bc1141ef2cec21a0ee1087349 filename testfile.xlsx queued for possible file analysis upload Wed Feb 24 12:12:04 2022 Info: MID 22178287 using engine: GRAYMAIL negative Wed Feb 24 12:12:04 2022 Info: MID 22178287 Custom Log Entry: !!!!!!!!!file is passwordprotected!!!!!!!!! Wed Feb 24 12:12:04 2022 Info: MID 22178287 Unable to safe print the attachment, Filename: testfile.xlsx, Reason: The attachment is encrypted, Action: The attachment is stripped Wed Feb 24 12:12:04 2022 Info: MID 22178287 rewritten to MID 22178289 by safeprint-all-attachments-strip-unscan filter 'PDF-Safeprint' Wed Feb 24 12:12:04 2022 Info: Message finished MID 22178287 done 
        
       
     

b) content_scannerログから、ファイルが正常に抽出されたかどうかを確認できます 

Wed Feb 24 12:12:01 2022 Info: PF: MID 22178287 The password-protected file - "testfile.xlsx" is scanned successfully.

c) amp_logsから、抽出したファイルが高度なマルウェア防御(AMP)とファイル分析に送信されて分析されていることが確認できます。

Tue Mar 16 11:21:03 2022 Info:   File reputation query initiating. File Name = 'testfile.zip', MID = 22194509, File Size = 706376 bytes, File Type = application/zip
Tue Mar 16 11:21:03 2022 Info:   Response received for file reputation query from Cloud. File Name = 'testfile.zip', MID = 22194509, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = fb997bf3891f81edc3a4292c22d9fa7fbfc652756eec5e9b7ffd431581694f5b, upload_action = Reco
mmended to send the file for analysis, verdict_source = None
Tue Mar 16 11:21:03 2022 Info:   Compressed/Archive File: sha256 = fb997bf3891f81edc3a4292c22d9fa7fbfc652756eec5e9b7ffd431581694f5b MID = 22194509, Extracted File: File Name = 'testfile.exe', File Type = 'application/x-dosexec', sha256 = f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb
962427f8aa, Disposition = FILE UNKNOWN, Response received from = Cloud, Malware = None, Analysis Score = 0, upload_action = Recommended to send the file for analysis
Tue Mar 16 11:21:04 2022 Info:   File uploaded for preclassification. SHA256: f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa, file name: testfile.exe
Tue Mar 16 11:21:31 2022 Info:   File uploaded for analysis. SHA256: f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa, file name: testfile.exe

d) amp_logsがデバッグレベルの場合は、パスワードで保護されたファイルに関する詳細情報を参照できます。

 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_supported_file_mime: Supported mime : application/zip
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: _amp_unarchv_mem2file - in_buf=0x96682000, size=706376, ctext=0x0, parent=0x0
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: password is Cisco
Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_context_create - ctext=0x96610ec0
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: archive size = 706376, max archive size=14127520
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: password is Cisco
Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_context_create - ctext=0x96610ec0
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: archive size = 706376, max archive size=14127520
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_make_dated_dir - path=/data/tmp/amp/2022_03_16
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: update_full_pathname entered - path=/data/tmp/amp/2022_03_16, filename=testfile.exe, suffix=#amp_1_1615911663
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: update_full_pathname - archive_entry_set_pathname, /data/tmp/amp/2022_03_16/testfile.exe#amp_1_1615911663
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_queue_entry_insert - ctext=0x96610ec0, parent=0x0, pathname=/data/tmp/amp/2022_03_16/testfile.exe#amp_1_1615911663
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: _amp_unarchv_file2file - ctext=0x96610ec0, parent_qe=0x9666a2e0, filename=/data/tmp/amp/2022_03_16/testfile.exe#amp_1_1615911663
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: Unsupported file type: application/x-dosexec
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: _amp_unarchv_mem2file - in_buf=0x97284000, size=1096080, ctext=0x96610ec0, parent=0x9666a2e0
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: _amp_unarchv_mem2file - decode depth (0)
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: _amp_unarchv_file2file - archive cumulative size=1096080  no.of files=1
 Tue Mar 16 11:21:03 2022   AMPPyrex:-   AMP-INFO: set_analysis_params do_sandbox=0, do_analysis=0,file_mime=application/zip, file priortiy=0 preclass_type=2
Tue Mar 16 11:21:03 2022   AMPPyrex:-   AMP-INFO: set_analysis_params do_sandbox=1, do_analysis=1,file_mime=application/x-dosexec, file priortiy=0 preclass_type=4
Tue Mar 16 11:21:03 2022 AMPCloudIF:-  AMP-DEBUG: AMP Query Request, FileType[0] SHA256[fb997bf3891f81edc3a4292c22d9fa7fbfc652756eec5e9b7ffd431581694f5b]

......

ue Mar 16 11:21:03 2022  CloudPool:-  AMP-DEBUG: cb in callback_thread
Tue Mar 16 11:21:03 2022 AMPCloudIF:-  AMP-DEBUG: AMP Query Response[Cloud], SHA256[fb997bf3891f81edc3a4292c22d9fa7fbfc652756eec5e9b7ffd431581694f5b], disposition[1] score[0] score_tg[0] score_type[0] SpyName[] action[1]
 Tue Mar 16 11:21:03 2022 CacheUtils:-  AMP-DEBUG: Found SHA256: - SHA256::fb997bf3891f81edc3a4292c22d9fa7fbfc652756eec5e9b7ffd431581694f5b
Tue Mar 16 11:21:03 2022  CloudPool:-  AMP-DEBUG: imcloud callback thread going to sleep
Tue Mar 16 11:21:03 2022 VRTCloudIF:-  AMP-DEBUG: Status List, Server Response HTTP code:[200]
Tue Mar 16 11:21:03 2022 CacheUtils:-  AMP-DEBUG: Found SHA256: - SHA256::f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa
Tue Mar 16 11:21:03 2022 VRTCloudIF:-  AMP-DEBUG: File SHA256[f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa] pri - [0] is enqueued to vrt
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_entry_preserve_file - ctext=0x96610ec0, pathname=/data/tmp/amp/2022_03_16/testfile.exe#amp_1_1615911663
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_entry_preserve_file - preserved  pathname=/data/tmp/amp/2022_03_16/testfile.exe#amp_1_1615911663
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_context_delete - ctext=0x96610ec0
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_queue_entry_free - entry=0x9666a2e0, pathname=/data/tmp/amp/2022_03_16/testfile.exe#amp_1_1615911663 file_mime =application/x-dosexec, preserved=1
 Tue Mar 16 11:21:03 2022  Unarchive:-  AMP-DEBUG: amp_context_free - ctext=0x96610ec0
 Tue Mar 16 11:21:03 2022     AMPRPC:-   AMP-INFO: Adjusted verdict - {'file_type': 'application/zip', 'file_name': 'testfile.zip', 'verdict_source': None, 'spyname': '', 'custom_threshold': None, 'unscan_category': None, 'category': 'amp', 'original_verdict': 'FILE UNKNOWN', 'analysis_statu
s': 1, 'analysis_score': 0, 'score': 0, 'sha256': 'fb997bf3891f81edc3a4292c22d9fa7fbfc652756eec5e9b7ffd431581694f5b', 'verdict_str': 'FILE UNKNOWN', 'uploaded': False, 'verdict_from': 'Cloud', 'xid': 22194509, 'verdict_num': 1, 'blacklisted': False, 'extract_file_verdict_list': deque([{'c
ategory': 'amp', 'uploaded': True, 'original_verdict': 'FILE UNKNOWN', 'analysis_status': 4, 'verdict_num': 1, 'analysis_score': 0, 'file_type': 'application/x-dosexec', 'file_name': 'testfile.exe', 'verdict_source': None, 'verdict_from': 'Cloud', 'spyname': '', 'score': 0, 'unscan_category'
: None, 'upload_reason': None, 'sha256': 'f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa', 'verdict_str': 'FILE UNKNOWN', 'analysis_action': 1, 'blacklisted': False}]), 'analysis_action': 1, 'verdict': 'FILE UNKNOWN', 'error': None}
Tue Mar 16 11:21:03 2022 VRTCloudIF:-  AMP-DEBUG: Set curl options URL[https://tg1-clean.lab.cisco.com/csa/v3/run/file?apikey=qg8ecq3n5c9ld4inbps783g263&async=true&classify=true], Trust Store[/data/fire_amp/db/preserve/private_cert.pem]
 Tue Mar 16 11:21:03 2022 VRTCloudIF:-  AMP-DEBUG: {"message":"Success","hash":"f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa","base_url":"https://tg1-clean.lab.cisco.com","entitlement_buffer_info":{"used":0,"available":true,"available_on":"2022-03-16T16:21:03Z"},"anal
yzing":"unknown","sample":"d5c8d83543d92c0cc428d6377d1c665d","query":"https://tg1-clean.lab.cisco.com/csa/v3/report?sample=d5c8d83543d92c0cc428d6377d1c665d"}
 Tue Mar 16 11:21:03 2022 VRTCloudIF:-  AMP-DEBUG:  File upload successful filename testfile.exe
 Tue Mar 16 11:21:03 2022 CacheUtils:-  AMP-DEBUG: Found SHA256: - SHA256::f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa
Tue Mar 16 11:21:03 2022 VRTCloudIF:-  AMP-DEBUG: File SHA256[f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa], file mime[application/x-dosexec], upload priority[High] successfully uploaded to the VRT server.
Tue Mar 16 11:21:03 2022   AMPPyrex:-   AMP-INFO: Upload SHA[f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa] runid=0 sampleid = timestamp=1615911663
Tue Mar 16 11:21:17 2022   AMPPyrex:-  AMP-DEBUG: AMP Extraction monitoring thread entering into sleep. Thread pool length=19 free pool size=1

正常なプロセスのためのGUIからの確認

メッセージトラッキングに移動し、メッセージIDをフィルタリングします。

失敗したプロセスのCLIからの確認

条件：パスワードが正しくないか、またはパスワードが見つかりません。

a) CLIのmail_logsから 

Wed Feb 24 12:24:40 2022 Info: MID 22178297 ICID 122563 From: 
     
     
       Wed Feb 24 12:24:40 2022 Info: MID 22178297 ICID 122563 RID 0 To: 
      
        Wed Feb 24 12:24:40 2022 Info: MID 22178297 using engine: SPF Verdict Cache using cached verdict Wed Feb 24 12:24:40 2022 Info: SPF Verdict Cache cache status: hits = 10, misses = 531, expires = 318, adds = 531, seconds saved = 0.04, total seconds = 9.69 Wed Feb 24 12:24:40 2022 Info: MID 22178297 SPF: helo identity postmaster@[10.0.201.16] None Wed Feb 24 12:24:40 2022 Info: MID 22178297 using engine: SPF Verdict Cache using cached verdict Wed Feb 24 12:24:40 2022 Info: MID 22178297 SPF: mailfrom identity test@lab.cisco.com Pass (v=spf1) Wed Feb 24 12:24:40 2022 Info: MID 22178297 using engine: SPF Verdict Cache using cached verdict Wed Feb 24 12:24:40 2022 Info: MID 22178297 SPF: pra identity test@lab.cisco.com None headers from Wed Feb 24 12:24:40 2022 Info: MID 22178297 DMARC: Message from domain lab.cisco.com, DMARC pass (SPF aligned True, DKIM aligned False) Wed Feb 24 12:24:40 2022 Info: MID 22178297 DMARC: Verification passed Wed Feb 24 12:24:40 2022 Info: MID 22178297 Message-ID '<825ab100-3066-e35e-148e-9ea08cb2fb28@lab.cisco.com>' Wed Feb 24 12:24:40 2022 Info: MID 22178297 Subject ppfa test without password Wed Feb 24 12:24:40 2022 Info: MID 22178297 SDR: Domains for which SDR is requested: reverse DNS host: Not Present, helo: [10.0.201.16], env-from: lab.cisco.com, header-from: lab.cisco.com, reply-to: Not Present Wed Feb 24 12:24:40 2022 Info: MID 22178297 SDR: Consolidated Sender Reputation: Tainted, Threat Category: N/A, Suspected Domain(s) : test@lab.cisco.com. Youngest Domain Age: 4 months 14 days for domain: test@lab.cisco.com Wed Feb 24 12:24:40 2022 Info: MID 22178297 SDR: Tracker Header : jiOYjEFgtyhTbL9t0GE5obyJYv3d6lj/sYLgchp5eutSz6X67FGFv3IHCBbU5wQBlYXe8Bv/r+uhxP6VIAXvyXSt35AAGc5hkANFBHB0v/PJzmLg4sd2yacAozybm9ITPJKTdj+4cQtIrgZxBJtCuBoBQ9Y4v00rdaaYT15VZ3CLjypIvVIZeImiTGR1OwocHluoZrdecXFIT3Lo9lTBsJVPbIkyI3AU0Z82nQPgkCsp8CVAQYYlQXqd7ObrcFIsfX6NHZ+Z22kXaRlBd7FMk4PJ6u8X3R9B1vP+bJoM5Cxx15ZHNkgD49u8PJT2ags4 Wed Feb 24 12:24:40 2022 Info: MID 22178297 ready 22089 bytes from 
       
         Wed Feb 24 12:24:40 2022 Info: LDAP: Masquerade query LDAP.masquerade MID 22178297 address test@lab.cisco.com to test@lab.cisco.com Wed Feb 24 12:24:40 2022 Info: ICID 122563 close Wed Feb 24 12:24:40 2022 Info: LDAP: Masquerade query LDAP.masquerade MID 22178297 address test@lab.cisco.com to test@lab.cisco.com Wed Feb 24 12:24:40 2022 Info: MID 22178297 attachment 'testfile.xlsx' Wed Feb 24 12:24:42 2022 Info: MID 22178297 was marked unscannable due to extraction failures. Reason: The password protected attachment 'testfile.xlsx' could not be scanned successfully. Wed Feb 24 12:24:42 2022 Warning: MID 22178297: scanning error (name='testfile.xlsx', type=document/xls): Extraction failure of password protected attachment Wed Feb 24 12:24:42 2022 Info: MID 22178297 matched all recipients for per-recipient policy test1 in the inbound table Wed Feb 24 12:24:46 2022 Info: MID 22178297 interim verdict using engine: CASE spam negative Wed Feb 24 12:24:46 2022 Info: MID 22178297 using engine: CASE spam negative Wed Feb 24 12:24:46 2022 Info: MID 22178297 interim AV verdict using McAfee ENCRYPTED Wed Feb 24 12:24:46 2022 Info: MID 22178297 interim AV verdict using Sophos ENCRYPTED Wed Feb 24 12:24:46 2022 Info: MID 22178297 antivirus encrypted Wed Feb 24 12:24:46 2022 Info: MID 22178297 AMP file reputation verdict : UNKNOWN Wed Feb 24 12:24:46 2022 Info: MID 22178297 using engine: GRAYMAIL negative Wed Feb 24 12:24:46 2022 Info: MID 22178297 Unable to safe print the attachment, Filename: testfile.xlsx, Reason: The attachment is encrypted, Action: The attachment is stripped Wed Feb 24 12:24:46 2022 Info: MID 22178297 rewritten to MID 22178298 by safeprint-all-attachments-strip-unscan filter 'PDF-Safeprint' Wed Feb 24 12:24:46 2022 Info: Message finished MID 22178297 done 
        
       
     

b) content_scannerでは、次のことがわかります。 

Wed Feb 24 12:24:42 2022 Info: PF: MID 22178297 Failed to open document - 'testfile.xlsx' because it is password protected.

失敗したプロセスのGUIからの確認

a) GUIのMessage Trackingで、メッセージIDをフィルタ処理します。

ネストされたパスワード保護ファイル

入れ子になったパスワードで保護されたファイルを抽出できません。現在、これはサポートされていません。

このエラーはmail_logsで確認できます

Sun Nov 22 21:09:31 2022 Info: MID 19597596 attachment 'testfile.zip'
Sun Nov 22 21:09:31 2022 Info: ICID 465893 close
Sun Nov 22 21:09:41 2022 Info: MID 19597596 was marked unscannable due to extraction failures. Reason: The attachment could not be decrypted for scanning.

ステータスの表示

CLIで「ppfastats」コマンドを使用して、パスワードで保護された添付ファイルがあり、ESAによってスキャンされたメッセージの要約を表示します。

(Machine esa1.lab.cisco.com)> ppfastats

Incoming PPFA Statistics:
Total number of Password Protected Attachments : 425
Total number of Sucessfully scanned Password Protected Attachments : 386
Total number of Protected PDF Attachments : 136
Total number of Sucessfully scanned PDF Attachments : 136
Total number of Protected Office Attachments (XLS, PPT, DOC) : 36
Total number of Sucessfully scanned Office Attachments : 36
Total number of Protected Archive Attachments : 253
Total number of Sucessfully scanned Archive Attachments (ZIP) : 214

Outgoing PPFA Statistics:
PPFA Statistics data not available for Outgoing Mails.

関連情報

• AsyncOS 14.3 for Cisco Secure Email Cloud Gatewayユーザガイド – シスコ