Skip to main content
  • EN

AD_4nXfFCfnv4TC4g2jIqsiDHB9fp6kbY28IZoxpij8_Q05V6HoItfBGJ97QkvkJpjXAF6SWxqJbMuAeGqfzhcUV9735cP2tFrOhzeAOpIVvUOHLolk74zfRYH2a-1DPofecoibcV1C8jA?key=RJpJtM-sMNbh9mHXRDhH3PHN

Netskope Global Technical Success (GTS)

KB - Why could Netskope be changing SHA/MD5 Values of Downloaded ZIP Files?

Netskope Cloud Version - 124

 

Objective

Explain the reason behind this behavior and what can be done to avoid it

 

Context

When the "Encryption with Netskope's KMIP" feature flag is enabled in the backend for a tenant, users may experience issues with downloaded ZIP files. Specifically, the Netskope proxy uncompresses and recompresses ZIP files during inspection, which can result in modified file sizes and hash values (SHA/MD5).

 

This issue manifests when programs verify the integrity of downloaded ZIP files by checking their hash values against published hashes. Since the recompression process may insert padded bytes or otherwise modify the file structure, the resulting hash values no longer match the expected values published by the file providers.

 

This issue is particularly problematic in environments where SHA verification is a critical security measure to protect against supply-chain attacks, and disabling these checks is not a viable option.

 

Resolution:

In this case the best option is to request disabling the feature to Netskope, to do so, please follow these steps:

1. Verify if you are actively using any encryption policies in your tenant:

- Check if you have any Real-time Protection or API data protection policies with the "Encrypt" action

- If no such policies exist, it is safe to disable the encryption feature

 

2. Contact Netskope Global Technical Success (GTS) to request disabling the "Encryption with Netskope's KMIP" feature flag:

- Open a support case with Netskope

- Specifically request to disable the "Encryption with Netskope's KMIP" feature flag for your tenant

- Provide the reason for the request (ZIP files being modified, causing SHA/MD5 mismatches)

 

3. After Netskope confirms the feature has been disabled, test downloading ZIP files again to verify that the SHA/MD5 values now match the expected values

Note: The "Encryption" feature is designed to provide extra confidentiality and privacy of sensitive data at rest by encrypting files that match specific policies. For example, as a file is uploaded to a cloud storage service, if the traffic matches an 'encrypt' rule, Netskope will encrypt the file before it's stored. To decrypt the file, it would need to be downloaded through Netskope, which would then decrypt it upon delivery to the end user. If you download the file outside of Netskope, it will remain encrypted and inaccessible.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.



 

 

 

Be the first to reply!

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings