Attachment Cleaning (Threat Extraction)

Attachment Cleaning (Threat Extraction) is a Content Disarm and Reconstruction (CDR) engine that serves as an additional layer of security for email attachments on top of the Anti-Malware engine.

After the Anti-Malware security engine determines an attachment is not malicious, Attachment Cleaning (Threat Extraction) delivers a secure version of the attachment to the end user, removing hyperlinks behind text, macros, and other active content that may contain malware.

Administrators can allow end-users to retrieve the original version of the attachment. This action does not require the help desk's intervention. To configure the attachment cleaning workflow, see Configuring Attachment Cleaning (Threat Extraction).

File Sanitization Modes

Attachment Cleaning (Threat Extraction) can create a safe version of an email attachment in these ways:

  • Clean - removes macros, embedded objects, and any active content from the attachment while maintaining the file type.

    For example, if a DOC file is cleaned, the end user will get a modified DOC file.

  • Convert - the file is converted into PDF format, regardless of its original file type, ensuring no active content can ever be a part of it.

    For example, if a DOC file is converted, the end user will get the file in PDF format.

Note - While the Convert option is considered to be secure, it has an impact on user experience and productivity. Unless there are strict regulatory or organizational policy requirements, we recommend using the Clean option to deliver only PDF files.

Configuring Attachment Cleaning (Threat Extraction)

To configure Attachment Cleaning (Threat Extraction) for Office 365 Mail or Gmail:

  1. Click Policy on the left panel of the Infinity Portal.

  2. Open a threat detection policy for Office 365 Mail or Gmail if available, and continue from step 6.

    or

  3. Click Add a New Policy Rule.

  4. In the Choose SaaS drop-down list, select the SaaS application (Office 365 Mail or Gmail).

  5. In the Choose Security drop-down list, select Threat Detection and click Next.

  6. Select the Prevent (Inline) protection mode.

  7. Scroll down to Attachment Cleaning (Threat Extraction) section and select the Clean attachments before delivering to end users checkbox.

  8. In the Clean field, select the option required.

    1. To clean all the file types, select All supported file types.

      Note - When this option is selected, the Convert option is disabled.

    2. To clean only some file types, select Only specific file types and enter the required file types.

      For the supported file types, see Supported file types for Attachment Cleaning (Threat Extraction)

    3. To exclude some file types from cleaning, select All supported file types except and enter the required file types.

    4. To stop cleaning the files, select None.

  9. In the Convert field, select the option required.

    1. To convert all the file types, select All supported file types.

      Note - When this option is selected, the Clean option is disabled.

    2. To convert only some file types, select Only specific file types and enter the required file types.

      For the supported file types, see Supported file types for Attachment Cleaning (Threat Extraction)

    3. To exclude some file types from converting, select All supported file types except and enter the required file types.

    4. To stop converting the files, select None.

  10. In the Attachment cleaning workflow field, select the workflow. See Attachment Cleaning (Threat Extraction) Workflows.

  11. Click Save and Apply.

Note - Harmony Email & Collaboration does not clean attachments in an email if both these conditions are satisfied:

  • There are other attachments in the same email that are password-protected.

  • The password-protected attachments workflow is configured as Require end-user to enter a password.

Attachment Cleaning (Threat Extraction) Workflows

The administrators can select any of these workflows for attachment cleaning.

Workflow

Description

User is allowed to request a restore for any attachment (admin must approve)

The use is allowed to request for restoring the original attachments. The attachments are restored only after the admin approves.

User is allowed to restore benign attachments only

The user can request to restore the attachments. If the attachments are benign, they are restored immediately.

User is allowed to restore any attachment

The user can request to restore the attachments and they are restored immediately.

Supported file types for Attachment Cleaning (Threat Extraction)

File Type

File Extensions

Adobe FDF

FDF

Adobe PDF (all versions)

PDF

Microsoft Excel 2007 and later

XLSX, XLSB, XLSM, XLTX, XLTM, XLAM

Microsoft Excel 2007 Binary

XLSB

Microsoft Excel 97 - 2003

XLS

Microsoft PowerPoint 2007 and later

PPTX, PPTM, POTX, POTM, PPAM, PPSX, PPSM

Microsoft PowerPoint 97 - 2003

PPT, PPS, POT, PPA

Microsoft Word 2007 and later

DOCX, DOCM, DOTX, DOTM

Microsoft Word 97 - 2003

DOC, DOT

Viewing Emails with Cleaned Attachments

You can view these details in the Emails with Modified Attachments page.

Note - The page does not show emails where links in the email body were replaced.

Sending the Unmodified Emails to End Users

To send the original email to the end-user, do one of these.

  • From the Modified Attachments page.

    1. Go to User Interaction > Modified Attachments.

    2. To send a original email, click the icon for the email from the last column of the request table and select Send Original.

    3. To send multiple emails at a time, select the emails and click Send Original from the top-right corner of the page.

    4. Click OK.

  • From the Email profile page.

    1. Open the email profile page.

    2. In the Email Profile section, click Send for Send Original Email.

    3. Click OK.

Attachment Cleaning (Threat Extraction) - End-User Experience

If a policy is configured to clean the files, if a file is sent in an email, the end-user receives the email with a cleaned file. By default, the cleaned file will have threat_extracted_ mentioned before the file name.

If a policy is configured to convert the files, if a file is sent in an email, the end-user always receives the email with converted PDF file. By default, the converted PDF file will have threat_extracted_ mentioned before the file name.

To request to restore the original email by the end-user:

  1. Click the link below the attachment in the email.

  2. If prompted, enter the reason for restoring the attachment, and click Submit.

    Note - This screen appears only when the Attachment cleaning workflow is configured such that the admin must approve to restore the original attachment.

    After you submit, the administrator receives the request.

    After the administrator approves, the user receives the original email.

  3. If the Attachment cleaning workflow is configured such that it does not require admin approval to restore the attachment, the original email is delivered to the end user immediately.

For more information on who receives the restored emails, see Who Receives the Emails Restored from Quarantine.