How to know if a zip file is encrypted in XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to know if a zip file is encrypted in XSOAR

L4 Transporter

Hello,

We'd like to know if a zip file is encrypted inside a playbook or a automation. The way in which XSOAR works with these files does not allow the use of python libraries. Is there a way through the File context value to know if the file is encrypted?

7 REPLIES 7

L4 Transporter

Hi @Josep , if you use zipfile instead of 7z while unzipping, the error will be provided if the zip file is protected. You can handle the error in the playbook to catch if the zip is password protected. 

!UnzipFile entryID=${File.EntryID} zipTool="zipfile"

Reason
zipfile couldn't extract this file - try using zipTool=7z If you already tried both zipfile and 7z check that the zip file is valid. File <ZipInfo filename=filename compress_type=deflate filemode='-rw-r--r--' file_size=1118 compress_size=624> is encrypted, password required for extraction
 
 

L3 Networker

I'm confused by this statement: "The way in which XSOAR works with these files does not allow the use of python libraries." If you use a custom automation with a custom docker image you can import and use basically any library you want, I don't understand what the the restriction would be here.

L4 Transporter

Yes building your automation for this purpose is another solution. You can use the built-in command "/docker_image_create" and specify other parameters. The only potential issue is you won't be able to delete dockers from the UI. You will need to go into the server to delete them. 

/docker_image_create name=<name_here> base=<base_image> dependencies=<comma_seperated_deps>

 

I hope this helps.

L1 Bithead

This may help, in the wrar section of the script there is reference to passing the password if encrypted.   

https://xsoar.pan.dev/docs/reference/scripts/unzip-file  , line 125 in the editor.  

Thanks for the response.

We are using Graph to get the files in sharepoint. This forces us that when we download the file it can only be placed in the context with the name "File". If we try to use this format within an automation, the output is not valid for processing. This is why you cannot download and use a downloaded file in the same automation, it must first be placed in the context in the XSOAR format and then used in the automation.

Thanks for the reply.

We want to check that the file can carry malware, for this we use a sandbox that only works if the file does not contain a password. This is why we don't want to open the file, just check if it has a password.

It sounds like you could implement your playbook with logic something like this to meet your requirements:

 

Fetch file from Graph (file entry ID is written to context) -> Conditional task which calls a custom automation, where the custom integration uses the python zipfile (or similar) library to determine if the zip is encrypted, then returns the result

-> (If unencrypted) sends to sandbox / (else) do other custom processing for encrypted zips.

  • 1545 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!