The Auto-Decryption functionality sits within Attachment Protect scanning. If an attachment is encrypted, Mimecast will search the email body in an attempt to find a key. For supported file types, if a working key is discovered, the attachment is decrypted and subjected to all routine scanning.
For detailed information on how to configure, optimize, integrate, and troubleshoot, see the Email Security Cloud Gateway Knowledge Hub.
The expected behavior is dependent upon your configured Attachment Protect Definitions settings:
| Field / Option | Description |
|---|---|
| Safe File |
Encrypted files are not auto-decrypted or converted to a Safe File version and will either be delivered in their original format, or held depending on your Attachment Management Definitions settings. |
| Safe File with On-Demand Sandbox |
Encrypted files are not auto-decrypted or converted to a Safe File. The Request Files link will not be available, and the encrypted files will be delivered in their original format. |
| Pre-emptive Sandbox |
Encrypted files are auto-decrypted for sandboxing if a working key is discovered |
| Dynamic Configuration |
By default, Safe File with On-Demand Sandbox is used where the original encrypted file is delivered to the recipient. For encrypted files sent by users on the trusted list, Preemptive Sandbox is used where encrypted files are auto-decrypted. |
Considerations:
-
Safe File with On-Demand Request File links are still available for non-encrypted files.
- If Attachment Management is enabled for encrypted files, the Attachment Management action is honored regardless of the Auto-Decryption outcome:
- If Auto-Decryption is successful and the file is not malicious, the message will be held by Attachment Management when Hold is selected for encrypted items. It is allowed if Allow is selected for encrypted items.
- If Auto-Decryption is successful and the file is malicious, it will be held by Attachment Protect.
- If Auto-Decryption is not successful, it will be held by Attachment Management when Hold is selected for encrypted items. It is allowed if Allow is selected for encrypted items.
- Safe File conversion for encrypted files is not supported
- Supported File Types: family OOXML & OLE2 file formats, ZIP/ZIPX, 7Z, RAR, PDF.
- Customers and users are permitted to utilize any passwords of their choosing. However, to ensure that internally generated passwords can be auto-decrypted, we recommend adhering to the use of alphanumeric characters, specifically a-z and A-Z, at this time.
- If Attachment Management is enabled for encrypted files, the Attachment Management action is honored regardless of the Auto-Decryption outcome:
Encrypted files using passwords containing any of the following characters can not be auto-decrypted, but can be decrypted via the Decryption Portal:
-
SPACE ! " # $ % & ' ( ) * + , - . : ; < = > ? @ [ \ ] ^ _ ` { | } ~
All characters with codes from 0x80 to 0xFF (including £, €, ©, ÿ, etc.)
Using the Decryption Portal
If an encrypted attachment cannot be auto-decrypted, users can use the Decryption Portal. In this portal, you can enter the password for the attachment, which will then be scanned to verify its safety before being processed.
Comments
Please sign in to leave a comment.