Attachment Cleaning (Threat Extraction)
Attachment Cleaning (Threat Extraction) is a Content Disarm and Reconstruction (CDR) engine that serves as an additional layer of security for email attachments on top of the Anti-Malware engine.
After the Anti-Malware security engine determines an attachment is not malicious, Attachment Cleaning (Threat Extraction) delivers a secure version of the attachment to the end user, removing hyperlinks behind text, macros, and other active content that may contain malware.
Administrators can allow end-users to retrieve the original version of the attachment. This action does not require the help desk's intervention. To configure the attachment cleaning workflow, see Configuring Attachment Cleaning (Threat Extraction).
File Sanitization Modes
Attachment Cleaning (Threat Extraction) can create a safe version of an email attachment in these ways:
-
Clean - removes macros, embedded objects, and any active content from the attachment while maintaining the file type.
For example, if a DOC file is cleaned, the end user will get a modified DOC file.
-
Convert - the file is converted into PDF format, regardless of its original file type, ensuring no active content can ever be a part of it.
For example, if a DOC file is converted, the end user will get the file in PDF format.
|
|
Note - While the Convert option is considered to be secure, it has an impact on user experience and productivity. Unless there are strict regulatory or organizational policy requirements, we recommend using the Clean option to deliver only PDF files. |
Configuring Attachment Cleaning (Threat Extraction)
To configure Attachment Cleaning (Threat Extraction) for Office 365 Mail or Gmail:
-
Click Policy on the left panel of the Infinity Portal.
-
Open a threat detection policy for Office 365 Mail or Gmail if available, and continue from step 6.
or
Click Add a New Policy Rule.
-
In the Choose SaaS drop-down list, select the SaaS application (Office 365 Mail or Gmail).
-
In the Choose Security drop-down list, select Threat Detection and click Next.
-
Select the Prevent (Inline) protection mode.
-
Scroll down to Attachment Cleaning (Threat Extraction) section and select the Clean attachments before delivering to end users checkbox.
-
In the Clean field, select the option required.
-
To clean all the file types, select All supported file types.
Note - When this option is selected, the Convert option is disabled.
-
To clean only some file types, select Only specific file types and enter the required file types.
For the supported file types, see Supported file types for Attachment Cleaning (Threat Extraction)
-
To exclude some file types from cleaning, select All supported file types except and enter the required file types.
-
To stop cleaning the files, select None.
-
-
In the Convert field, select the option required.
-
To convert all the file types, select All supported file types.
Note - When this option is selected, the Clean option is disabled.
-
To convert only some file types, select Only specific file types and enter the required file types.
For the supported file types, see Supported file types for Attachment Cleaning (Threat Extraction)
-
To exclude some file types from converting, select All supported file types except and enter the required file types.
-
To stop converting the files, select None.
-
-
In the Attachment cleaning workflow field, select the workflow. See Attachment Cleaning (Threat Extraction) Workflows.
-
Click Save and Apply.
Clean Attachments
Threat Extraction cleans an attachment and executes the configured workflow when these conditions are met:
-
The attachment is of a supported file type.
-
The attachment contains one of the supported active parts for removal.
-
The attachment is not detected as malicious (if malicious, the Anti-Malware workflow will take effect).
In addition, Threat Extraction excludes an attachment from cleaning when these conditions are met:
-
Other attachments in the same email are password-protected.
-
The workflow for password-protected attachments is configured as Require end-user to enter a password.
When an attachment is not cleaned, its original version is included in the email sent to the end user, and no restoration is required by the user.
Attachment Cleaning (Threat Extraction) Workflows
The administrators can select any of these workflows for attachment cleaning.
|
Workflow |
Description |
|---|---|
|
User is allowed to request a restore for any attachment (admin must approve) |
The use is allowed to request for restoring the original attachments. The attachments are restored only after the admin approves. |
|
User is allowed to restore benign attachments only |
The user can request to restore the attachments. If the attachments are benign, they are restored immediately. |
|
User is allowed to restore any attachment |
The user can request to restore the attachments and they are restored immediately. |
Supported file types for Attachment Cleaning (Threat Extraction)
|
File Type |
File Extensions |
|---|---|
|
Adobe FDF |
FDF |
|
Adobe PDF (all versions) |
|
|
Microsoft Excel 2007 and later |
XLSX, XLSB, XLSM, XLTX, XLTM, XLAM |
|
Microsoft Excel 2007 Binary |
XLSB |
|
Microsoft Excel 97 - 2003 |
XLS |
|
Microsoft PowerPoint 2007 and later |
PPTX, PPTM, POTX, POTM, PPAM, PPSX, PPSM |
|
Microsoft PowerPoint 97 - 2003 |
PPT, PPS, POT, PPA |
|
Microsoft Word 2007 and later |
DOCX, DOCM, DOTX, DOTM |
|
Microsoft Word 97 - 2003 |
DOC, DOT |
Original Attachments vs Cleaned Attachments
In the Attachment Cleaning process, some components of the attachment are removed or disabled.
By default, these components of the attachment are cleaned and depending on the file type being cleaned, specific components of the attachment may be removed as shown in this table:
|
Code |
File Type |
Description |
|---|---|---|
|
1018 |
All supported file types |
Query to remote database |
|
1019 |
All supported file types |
Files and objects embedded in the documents |
|
1021 |
All supported file types |
Stored data for fast document saving |
|
1026 |
All supported file types |
Microsoft Office macros and PDF JavaScript code |
|
1034 |
All supported file types |
Links to network or local file paths |
|
1137 |
|
Open other PDF files |
|
1139 |
|
PDF launch action |
|
1141 |
|
Open Uniform Resource Identifier (URI) resources |
|
1142 |
|
Play sound objects |
|
1143 |
|
Play movie files |
|
1150 |
|
Execute JavaScript code |
|
1151 |
|
Submit data to remote locations |
To configure Harmony Email & Collaboration to clean additional part of attachments which are not cleaned by default, contact Check Point Support.
|
Code |
File Type |
File Part |
|---|---|---|
|
500 |
All supported file types |
Images embedded in documents |
|
1017 |
All supported file types |
Custom document properties |
|
1025 |
All supported file types |
Links to files that are reviewed by another application |
|
1036 |
All supported file types |
Statistic document properties |
|
1037 |
All supported file types |
Summary document properties |
|
1178 |
|
Embedded 3D Artwork |
Viewing Emails with Cleaned Attachments
You can view these details in the Emails with Modified Attachments page.
-
Emails with attachments, where the links in the attachments were replaced. See Click-Time Protection.
-
Emails with attachments that were cleaned. See Attachment Cleaning (Threat Extraction).
|
|
Note - The page does not show emails where links in the email body were replaced. |
Sending the Unmodified Emails to End Users
To send the original email to the end-user, do one of these.
-
From the Modified Attachments page.
-
Go to User Interaction > Modified Attachments.
-
To send a original email, click the
icon for the email from the last column of the request table and select Send Original. -
To send multiple emails at a time, select the emails and click Send Original from the top-right corner of the page.
-
Click OK.
-
-
From the Email profile page.
-
Open the email profile page.
-
In the Email Profile section, click Send for Send Original Email.
-
Click OK.
-
Attachment Cleaning (Threat Extraction) - End-User Experience
If a policy is configured to clean the files, if a file is sent in an email, the end-user receives the email with a cleaned file. By default, the cleaned file will have threat_extracted_ mentioned before the file name.
If a policy is configured to convert the files, if a file is sent in an email, the end-user always receives the email with converted PDF file. By default, the converted PDF file will have threat_extracted_ mentioned before the file name.
To request to restore the original email by the end-user:
-
Click the link below the attachment in the email.
-
If prompted, enter the reason for restoring the attachment, and click Submit.
Note - This screen appears only when the Attachment cleaning workflow is configured such that the admin must approve to restore the original attachment.
After you submit, the administrator receives the request.
After the administrator approves, the user receives the original email.
-
If the Attachment cleaning workflow is configured such that it does not require admin approval to restore the attachment, the original email is delivered to the end user immediately.
For more information on who receives the restored emails, see Who Receives the Emails Restored from Quarantine.