Getting Started with the Threat Extraction Blade

In This Section:

Important: Threat Extraction is supported only on R77.30 and higher.

Before you enable the Threat Extraction blade, you must deploy the gateway as a Mail Transfer Agent.

The Threat Extraction blade extracts potentially malicious content from files before they enter the corporate network. To remove possible threats, the Threat Extraction blade can create a simpler version of the file in PDF format.

Microsoft Office Suite Applications support many features that can pose a threat to the corporate network. For example:

Queries to databases where the query contains a password in the clear
Embedded objects
Macros and JavaScript code that can be exploited to propagate viruses
Hyperlinks to sensitive information
Custom properties with sensitive information
Automatic saves that keep archives of deleted data
Sensitive document statistics such as owner, creation and modification dates
Summary properties
User names

PDF documents with:

Actions such as launch, sound, or movie URIs.
JavaScript actions that run code in the reader's Java interpreter
Submit actions that transmit the values of selected fields in a form to a specified URL
Incremental updates that keep earlier versions of the document
Document statistics that show creation and modification dates and changes to hyperlinks
Summarized lists of properties
Lists of user names

Enabling the Threat Extraction Blade

Important: Before enabling the Threat Extraction blade, make sure the R77.30 Add-on is installed on the Security Management Server. For more about the add-on, see the R77.30 Release Notes.

To enable the Threat Extraction Blade:

In SmartDashboard, right-click the R77.30 gateway object and select Edit.
The Gateway Properties window opens.
On the General Properties > Network Security tab, select:
- Firewall
- Threat Extraction
The Threat Extraction First Time Activation Wizard opens.
Enable the gateway as a Mail Transfer Agent (MTA).
From the drop-down box, select a mail server for forwarded emails.
Click Next.
Click Finish.
Note: In a ClusterXL HA environment, do this once for the cluster object.

Configuring LDAP

If you use LDAP for user authentication, you must activate User Directory for Security Gateways.

To activate User Directory:

Open SmartDashboard > Global Properties.
On the User Directory page, select Use User Directory for Security Gateways.
Click OK.

Configuring the Threat Extraction Blade

Threat Extraction settings are configured:

On the Security Gateway object or cluster object
In Threat Prevention Profiles
On the Threat Prevention tab > Advanced > Engine Settings page.

Configuring the Security Gateway

Open SmartDashboard.
Open the gateway properties > Threat Extraction page.
Set the Activation Mode to Active.
Allocate disk space resources.
Click OK.

Configuring a Cluster

Open SmartDashboard.
Open the ClusterXL and VRRP page.
Select High Availability.
In the Upon cluster Member recovery section, select Switch to higher priority Cluster Member.
On the Cluster Members page, make sure the primary member (the member at the top of the list that automatically becomes the active server) has strong memory and CPU resources.
Enable the Threat Extraction Blade:
1. On the General Properties > Network Security tab, select:
  - Firewall
  - Threat Extraction
  The Threat Extraction First Time Activation Wizard opens.
2. Enable the gateway as a Mail Transfer Agent (MTA).
3. From the drop-down box, select a mail server for forwarded emails.
4. Click Next.
5. Click Finish.
In the Cluster Properties window, open Other > Threat Extraction.
Set the Activation Mode to Active.
Allocate disk space resources.
Click OK.
Install policy.

Configuring the Threat Prevention Profile

Open SmartDashboard.
On the Threat Prevention tab, open Profiles.
Right-click a profile and select Edit.
The profile's properties window opens.
On the General Properties page in the Blade Activation area, select Threat Extraction.
On the Threat Extraction Settings page, configure:
UserCheck Messages
- Allow the user to access the original file
- Allow access to original files that are not malicious according to Threat Emulation
  Note: This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.
- UserCheck Message
  Select a message to show the user
Protocols
- Mail (SMTP)
  Click Configure to set the maximum MIME nesting level for emails that contained nested MIME content.
Extraction Method
- Extract potentially malicious parts from files
  Click Configure to select which malicious parts the blade extracts, for example macros or JavaScript.
- Convert to PDF
  Converts the file to PDF, and keeps text and formatting.
  
  Note - If you use PDFs in Right-to-Left languages or Asian fonts, we recommend that you DO NOT select the Convert to PDF option. Otherwise, the formatting and content in the PDF can be significantly changed. Select the Extract files from potential malicious parts option to make sure that these files are processed correctly.
Extraction Settings
- Process all files
- Process malicious files when the confidence level is:
  Set a low, medium or high confidence level. This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.
File Types
- Process all supported file types
- Process specific file types
  Click Configure to select file types.
On the Exclude/Include Users page, configure these settings:
- Scan all mail
  Click Exceptions to not include specified users, groups, recipients or senders.
- Scan mail only for specific users or groups
  Click Configure to select specified User Groups, Recipients or Senders.
  
  Note:
  
  A user is an object that can contain an email address with other details.
  
  A group is an AD group or LDAP group of users
  
  A recipient is an email address only.
Important: In Global Properties > User Directory, make sure that you have selected the Use User Directory for Security Gateways option.
On the Advanced page, configure these settings:
Logging
- Log only those files from which threats were extracted
- Log every file
Threat Extraction Exceptions
- Corrupted files
  Block or Allow corrupted files attached to the email. Corrupted files are files the blade fails to process, possibly because the format is incorrect. Despite the incorrect format, the related application (Word, Adobe Reader) can sometimes show the content.
  
  Block removes the corrupt attachment and sends the recipient a text describing how the attachment contained potentially malicious content. You can block corrupt files if they are malicious according to Threat Emulation. If the action is block, you can deny access to the original corrupted file.
  
  Allow lets the recipient receive the corrupt file attachment.
- Encrypted files
  Block or Allow encrypted files attached to the email.
  
  Block removes the encrypted attachment and sends the recipient a text file describing how the attachment contained potentially malicious content.
  
  If the action is block, you can also deny access to the original encrypted file.
  
  Allow lets the recipient receive the encrypted attachment.
- Signed emails
  Allow or Clean signed emails.
  
  Signed emails are not encrypted, but the mail contents are signed to authenticate the sender. If the received email differs from the email that was sent, the recipient gets a warning. The digital signature is no longer valid.
  
  Clean replaces the original attachment with an attachment cleaned of threats, or converts the attachment to PDF form. Both actions invalidate the digital signature. If the attachment does not include active content, the mail remains unmodified and the digital signature valid.
  
  Allow does not change the email. The digital signature remains valid. Select this option to prevent altering digital signatures.
Click OK.

Configuring Advanced Engine Settings for Threat Extraction

Advanced engine settings let you configure file type support and mail signatures for the Threat Extraction.

To configure file type support:

Open SmartDashboard.
On the Threat Prevention tab, open Advanced > Engine Settings.
In the Threat Extraction Settings area, click Configure file type support.
The File Types Support window opens.
From the list select which file types the Threat Extraction blade supports.
Click OK.

To configure mail signatures:

Open SmartDashboard.
On the Threat Prevention tab, open Advanced > Engine Settings.
In the Threat Extraction Settings area, click Configure Mail Signatures.
The Threat Extraction Mail Signatures window opens.

Use this window to configure text for:
- Mail signatures for attachments with potential threats extracted
  The first signature is always attached to mail that has had threats extracted.
  
  The second signature is added to the first if the email recipient has access to the original file.
- Mail signatures for unmodified attachments
Predefined field codes can be inserted into the signature text, such as:
- A link to the file before it was modified by the blade.
  The link opens the UserCheck Portal. The portal shows a list of attachments the recipient can download.
- Reference ID.
  Use this ID to send the recipient the file. You can also find the ID in the logs.
  
  On the gateway, run the command: scrub send_orig_email.
Click OK.

Threat Extraction Statistics

You can see Threat Extraction statistics in SmartDashboard, and by running a number of commands on the CLI.

In SmartDashboard:

Open Threat Prevention tab > Overview.
Scroll to Latest Malware Activity.
Click Extracted Files.

On the CLI:

Open the command line interface of the gateway with the Threat Extraction enabled.
Run these commands:
- cpview
- cpstat scrub -f threat_extraction_statistics

Using the Gateway CLI

The R77.30 gateway has a Threat Extraction menu to:

Control debug messages
Get information on queues
Send the initial email attachments to recipients

To use the Threat Extraction command line:

Log in to the Security Gateway.
Enter expert mode.
Enter: scrub
A menu shows these options:

Option	Description
`debug`	Controls debug messages.
`queues`	Shows information on Threat Extraction queues. Using this command helps you understand the queue status and load on the mail transfer agent (MTA) and the `scrubd` daemon. The command shows: Number of pending requests from the MTA to the `scrubd` daemon Maximum number pending requests from the MTA to the `scrubd` daemon Current number of pending request from `scrubd` to `scrub_cp_file_convert` Maximum number of pending requests from scrubd to `scrub_cp_file_convert`
`send_orig_email`	Sends original email to recipients. To send the original email get: The reference number - Click on link in the email received by the user. The email ID - Found in the SmartView Tracker logs or debug logs.
`bypass`	Bypasses all files. Use this command to debug issues with the scrub (Threat Extraction) daemon. When you set bypass to active, requests from the mail transfer agent (MTA) to the scrub daemon are not handled. Threat Extraction is suspended. No files are cleaned.

Troubleshooting the Threat Extraction Blade

This section covers common problems and solutions.

The Threat Extraction blade fails to extract threats from emails belonging to LDAP users

In Global Properties > User Directory, make sure that you have selected the Use User Directory for Security Gateways option.

Mails with threats extracted do not reach recipients

Make sure the gateway passed the MTA connectivity test during the First Time Configuration Wizard.
1. Disable then enable the Threat Extraction blade.
2. Complete the First Time Configuration Wizard again.
3. Make sure the wizard passes the connectivity test.
Test the connection to the target MTA.
1. Open a command prompt on the gateway.
2. Telnet to port 25 of the designated Mail Transfer Agent.

Threat Extraction fails to extract threats from emails

Open SmartDashboard > Gateway Properties > Mail Transfer Agent.
Make sure you selected Enable as Mail Transfer Agent.
Access the organizations mail relay. Configure the Threat Extraction gateway as the relay's next hop.

Users have stopped receiving emails

On the gateway command line interface, run: scrub queues.
If the queues are flooded with requests, the Threat Extraction load is too high for the gateway.
1. Bypass the scrub daemon.
  Run: scrub bypass on.
2. Ask affected users if they are now receiving their emails. If they are, reactivate Threat Extraction.
  To reactivate, run: scrub bypass off.
Make sure the queue is not full.
1. Run:
  /opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p
2. If the queue is full, empty the queue.
  Run:
  
  /opt/postfix/usr/sbin/postsuper -c /opt/postfix/etc/postfix/ -d ALL
  
  Emptying the queue loses the emails
3. To prevent losing important emails, flush the queue. Flushing forcefully resends queued emails.
  Run:
  
  /opt/postfix/usr/sbin/postfix -c /opt/postfix/etc/postfix/ flush
If queues remain full, make sure that the MTA is not overloading the gateway with internal requests. The MTA should be scanning only emails from outside of the organization.

Users have no access to original attachments

Make sure users are able to access the UserCheck portal from the e-mail they get when an attachment is cleaned.

Click the link sent to users.
Make sure that the UserCheck Portal opens correctly.
If users are not able to access the UserCheck portal but see the Gaia portal instead, make sure that accessibility to the UserCheck portal is correctly configured.
1. In SmartDashboard, open Gateway Properties > UserCheck.
2. Under Accessibility, click Edit.
3. Make sure the correct option is selected according to the topology of the gateway.
Open CPView.
Make sure the access to original attachments statistic is no longer zero.

Attachments are not scanned by Threat Extraction

The scanned attachment statistic in CPView fails to increment.

On the gateway:

Make sure that the disk or directories on the gateway are not full.
1. Run df –h on the root directory of the disk
2. Run df -h on: /var/log
Make sure directories used by Threat Extraction can be written to.
Run:
1. touch /tmp/scrub/test
2. touch /var/log/jail/tmp/scrub/test
3. touch $FWDIR/tmp/email_tmp/test

CPView shows Threat Extraction errors

In CPview > Software-blades > Threat-extraction > File statistics, the number for internal errors is high compared to the total number of emails.

Open SmartView Tracker or SmartLog.
Select the Threat Extraction Blade.
Add the column for the Threat Extraction Activity and look for errors.

If the ThreatSpect engine is overloaded or fails while inspecting an attachment, a log is generated. By default, attachments responsible for log errors are still sent to email recipients. To prevent these attachments being sent, set the engine’s fail-over mode to Block all connections.

In SmartDashboard, open Threat Prevention > Advanced > Engine Settings.
Under Fail Mode, select Block all connections (fail-close).

The Threat Extraction blade continues to scan, but attachments that generate internal system errors are prevented from reaching the recipient.

Corrupted attachments cannot be cleaned, and by default generate log entries in SmartView Tracker and SmartLog. Corrupted attachments are still sent to the email recipient. To prevent corrupted attachments from reaching the recipient:

In SmartDashboard, open Threat Prevention > Profiles > Profile > Threat Extraction Settings >.
In the Threat Extraction Exceptions area, select Block for attachments.

Attachments look disordered after conversion to PDF

On the Threat Prevention tab, open Profiles > Profile > Threat Extraction settings.
In the File Types area, select Process specific file types and click Configure.
The File Types Configuration window opens.
For the pdf file type, set the extraction method to clean.

Top of Page

Download PDF

Send Feedback