Symantec Protection Engine (SPE) users may observe that files encrypted using OpenSSL or PGP are not blocked even when the "Encrypted Container Handling" policy is set to "Block". This article explains the difference between encrypted containers and encrypted files and provides a workaround for blocking these file types.

Symantec Protection Engine (SPE) 8.x, 9.x

Symptoms

• Files encrypted via OpenSSL (e.g., `openssl enc -aes-256-cbc`) pass through SPE without being blocked.
• PGP encrypted files are scanned and return a "Clean" verdict.
• The "Encrypted Container Handling" policy is enabled but does not trigger on these files.

SPE's "Encrypted Container Handling" policy is implemented within the Symantec Decomposer engine. This policy only triggers when:
1.  The file is identified as a known container format (ZIP, RAR, 7z, OOXML, PDF, etc.).
2.  An encrypted entry or stream is detected inside that container.

OpenSSL and PGP files often consist of opaque ciphertext rather than a structured container. Because they are not recognized as decomposable containers, the encrypted-container event is not raised. The AV engine scans the encrypted bytes, finds no signatures, and returns a clean verdict.

To block OpenSSL or PGP encrypted files, use the **File Attribute** policy to deny them by extension or filename pattern.

1.  Open the SPE console.
2.  Navigate to **Policies** > **File Attribute**.
3.  Enable **File Type Filtering**.
4.  Add the following extensions to the **Deny File Types** list: `.enc`, `.pgp`, `.gpg`, `.asc`.
5.  Alternatively, use the command line to modify `filtering.xml`:
    Review this command before running it:
    `xmlmodifier -s //filtering/FileAttribute/FileTypeFilteringEnabled/@value true filtering.xml`
    `xmlmodifier -s //filtering/FileAttribute/DenyFileTypes/items/item/@value .enc filtering.xml`

Supported file types for true type file filtering. Article: https://knowledge.broadcom.com/external/article/399598/