Attachment Cleaning (Threat Extraction)

After the Anti-Malware security engine determines an attachment is not malicious, Attachment Cleaning (Threat Extraction) delivers a secure version of the attachment to the end user, removing hyperlinks behind text, macros, and other active content that may contain malware.

Administrators can allow end-users to retrieve the original version of the attachment. This action does not require the help desk's intervention. To configure the attachment cleaning workflow, see Configuring Attachment Cleaning (Threat Extraction).

File Sanitization Modes

Attachment Cleaning (Threat Extraction) can create a safe version of an email attachment in these ways:

• Clean - removes macros, embedded objects, and any active content from the attachment while maintaining the file type.

  For example, if a DOC file is cleaned, the end user will get a modified DOC file.

• Convert - the file is converted into PDF format, regardless of its original file type, ensuring no active content can ever be a part of it.

  For example, if a DOC file is converted, the end user will get the file in PDF format.

Note - While the Convert option is considered to be secure, it has an impact on user experience and productivity. Unless there are strict regulatory or organizational policy requirements, we recommend using the Clean option to deliver only PDF files.

Configuring Attachment Cleaning (Threat Extraction)

To configure Attachment Cleaning (Threat Extraction) for Office 365 Mail or Gmail:

1. Click Policy on the left panel of the Infinity Portal.

2. Open a threat detection policy for Office 365 Mail or Gmail if available, and continue from step 6.

   or

3. Click Add a New Policy Rule.

4. In the Choose SaaS drop-down list, select the SaaS application (Office 365 Mail or Gmail).

5. In the Choose Security drop-down list, select Threat Detection and click Next.

6. Select the Prevent (Inline) protection mode.

7. Scroll down to Attachment Cleaning (Threat Extraction) section and select the Clean attachments before delivering to end users checkbox.

8. In the Clean field, select the option required.

   1. To clean all the file types, select All supported file types.

      Note - When this option is selected, the Convert option is disabled.

   2. To clean only some file types, select Only specific file types and enter the required file types.

      For the supported file types, see Supported file types for Attachment Cleaning (Threat Extraction)

   3. To exclude some file types from cleaning, select All supported file types except and enter the required file types.

   4. To stop cleaning the files, select None.

9. In the Convert field, select the option required.

   1. To convert all the file types, select All supported file types.

      Note - When this option is selected, the Clean option is disabled.

   2. To convert only some file types, select Only specific file types and enter the required file types.

      For the supported file types, see Supported file types for Attachment Cleaning (Threat Extraction)

   3. To exclude some file types from converting, select All supported file types except and enter the required file types.

   4. To stop converting the files, select None.

10. In the Attachment cleaning workflow field, select the workflow. See Attachment Cleaning (Threat Extraction) Workflows.

11. Click Save and Apply.

Note - Harmony Email & Collaboration does not clean attachments in an email if both these conditions are satisfied: There are other attachments in the same email that are password-protected. The password-protected attachments workflow is configured as Require end-user to enter a password.

Attachment Cleaning (Threat Extraction) Workflows

The administrators can select any of these workflows for attachment cleaning.

Workflow	Description
User is allowed to request a restore for any attachment (admin must approve)	The use is allowed to request for restoring the original attachments. The attachments are restored only after the admin approves.
User is allowed to restore benign attachments only	The user can request to restore the attachments. If the attachments are benign, they are restored immediately.
User is allowed to restore any attachment	The user can request to restore the attachments and they are restored immediately.

Supported file types for Attachment Cleaning (Threat Extraction)

File Type	File Extensions
Adobe FDF	FDF
Adobe PDF (all versions)	PDF
Microsoft Excel 2007 and later	XLSX, XLSB, XLSM, XLTX, XLTM, XLAM
Microsoft Excel 2007 Binary	XLSB
Microsoft Excel 97 - 2003	XLS
Microsoft PowerPoint 2007 and later	PPTX, PPTM, POTX, POTM, PPAM, PPSX, PPSM
Microsoft PowerPoint 97 - 2003	PPT, PPS, POT, PPA
Microsoft Word 2007 and later	DOCX, DOCM, DOTX, DOTM
Microsoft Word 97 - 2003	DOC, DOT

Original Attachments vs Cleaned Attachments

In the Attachment Cleaning process, some components of the attachment are removed or disabled.

By default, these components of the attachment are cleaned and depending on the file type being cleaned, specific components of the attachment may be removed as shown in this table:

Code	File Type	Description
1018	All supported file types	Query to remote database
1019	All supported file types	Files and objects embedded in the documents
1021	All supported file types	Stored data for fast document saving
1026	All supported file types	Microsoft Office macros and PDF JavaScript code
1034	All supported file types	Links to network or local file paths
1137	PDF	Open other PDF files
1139	PDF	PDF launch action
1141	PDF	Open Uniform Resource Identifier (URI) resources
1142	PDF	Play sound objects
1143	PDF	Play movie files
1150	PDF	Execute JavaScript code
1151	PDF	Submit data to remote locations

To configure Harmony Email & Collaboration to clean additional part of attachments which are not cleaned by default, contact Check Point Support.

Code	File Type	File Part
500	All supported file types	Images embedded in documents
1017	All supported file types	Custom document properties
1025	All supported file types	Links to files that are reviewed by another application
1036	All supported file types	Statistic document properties
1037	All supported file types	Summary document properties
1178	PDF	Embedded 3D Artwork

Viewing Emails with Cleaned Attachments

You can view these details in the Emails with Modified Attachments page.

• Emails with attachments, where the links in the attachments were replaced. See Click-Time Protection.

• Emails with attachments that were cleaned. See Attachment Cleaning (Threat Extraction).

Note - The page does not show emails where links in the email body were replaced.

Sending the Unmodified Emails to End Users

Attachment Cleaning (Threat Extraction) - End-User Experience

If a policy is configured to clean the files, if a file is sent in an email, the end-user receives the email with a cleaned file. By default, the cleaned file will have threat_extracted_ mentioned before the file name.

If a policy is configured to convert the files, if a file is sent in an email, the end-user always receives the email with converted PDF file. By default, the converted PDF file will have threat_extracted_ mentioned before the file name.

To request to restore the original email by the end-user:

1. Click the link below the attachment in the email.

   

2. If prompted, enter the reason for restoring the attachment, and click Submit.

   Note - This screen appears only when the Attachment cleaning workflow is configured such that the admin must approve to restore the original attachment.

   

   After you submit, the administrator receives the request.

   

   After the administrator approves, the user receives the original email.

3. If the Attachment cleaning workflow is configured such that it does not require admin approval to restore the attachment, the original email is delivered to the end user immediately.

   

For more information on who receives the restored emails, see Who Receives the Emails Restored from Quarantine.