In information security, is it correct that detecting viruses in encrypted messages is difficult because scanning cannot reliably occur until the content is decrypted?

Introduction / Context:
This item examines the interplay between encryption and malware detection. Anti-malware engines look for signatures or suspicious patterns in message content. When payloads are encrypted end-to-end, those engines cannot inspect content until it is decrypted by an authorized endpoint or an approved inspection point.

Given Data / Assumptions:

• The message payload is encrypted in transit or at rest.
• Signature- or behavior-based scanning requires access to plaintext.
• Policies may or may not allow intermediary decryption (e.g., TLS inspection gateways).

Concept / Approach:
Encryption provides confidentiality, intentionally obscuring data from intermediaries. Security devices that perform deep packet inspection need plaintext. Therefore, until decryption occurs, virus scanners cannot validate the content, creating a detection gap that organizations mitigate with endpoint security, secure mail gateways (with sanctioned decryption), or quarantine workflows.

Step-by-Step Solution:

Verification / Alternative check:
Operational practices like TLS termination at secure gateways, or using EDR on endpoints, exist specifically to restore scanning capability after decryption.

Why Other Options Are Wrong:

• Incorrect: ignores visibility constraints.
• “Only symmetric” or “only TLS” is misleading; the core issue exists for any end-to-end encryption scheme.

Common Pitfalls:
Assuming network scanners can “see through” encryption; forgetting privacy and legal implications of decryption at middleboxes.

Final Answer:
Correct