Getting Started with the Threat Extraction Blade
Important: Threat Extraction is supported only on R77.30 and higher.
Before you enable the Threat Extraction blade, you must deploy the gateway as a Mail Transfer Agent.
The Threat Extraction blade extracts potentially malicious content from files before they enter the corporate network. To remove possible threats, the Threat Extraction blade can create a simpler version of the file in PDF format.
Microsoft Office Suite Applications support many features that can pose a threat to the corporate network. For example:
- Queries to databases where the query contains a password in the clear
- Embedded objects
- Macros and JavaScript code that can be exploited to propagate viruses
- Hyperlinks to sensitive information
- Custom properties with sensitive information
- Automatic saves that keep archives of deleted data
- Sensitive document statistics such as owner, creation and modification dates
- Summary properties
- User names
PDF documents with:
- Actions such as launch, sound, or movie URIs.
- JavaScript actions that run code in the reader's Java interpreter
- Submit actions that transmit the values of selected fields in a form to a specified URL
- Incremental updates that keep earlier versions of the document
- Document statistics that show creation and modification dates and changes to hyperlinks
- Summarized lists of properties
- Lists of user names
Enabling the Threat Extraction Blade
Important: Before enabling the Threat Extraction blade, make sure the R77.30 Add-on is installed on the Security Management Server. For more about the add-on, see the R77.30 Release Notes.
To enable the Threat Extraction Blade:
- In SmartDashboard, right-click the R77.30 gateway object and select .
The window opens.
- On the tab, select:
The opens.
- Enable the gateway as a (MTA).
From the drop-down box, select a mail server for forwarded emails.
- Click .
- Click .
Note: In a ClusterXL HA environment, do this once for the cluster object.
Configuring LDAP
If you use LDAP for user authentication, you must activate User Directory for Security Gateways.
To activate User Directory:
- Open .
- On the User Directory page, select .
- Click .
Configuring the Threat Extraction Blade
Threat Extraction settings are configured:
- On the Security Gateway object or cluster object
- In Threat Prevention Profiles
- On the Threat Prevention tab > Advanced > Engine Settings page.
Configuring the Security Gateway
- Open SmartDashboard.
- Open the page.
- Set the to .
- Allocate disk space resources.
- Click .
Configuring a Cluster
- Open SmartDashboard.
- Open the page.
- Select .
- In the section, select .
- On the page, make sure the primary member (the member at the top of the list that automatically becomes the active server) has strong memory and CPU resources.
- Enable the Threat Extraction Blade:
- On the tab, select:
The opens.
- Enable the gateway as a (MTA).
- From the drop-down box, select a mail server for forwarded emails.
- Click .
- Click .
- In the Cluster Properties window, open .
- Set the to .
- Allocate disk space resources.
- Click .
- Install policy.
Configuring the Threat Prevention Profile
- Open SmartDashboard.
- On the tab, open .
- Right-click a profile and select .
The profile's properties window opens.
- On the page in the area, select Threat Extraction.
- On the page, configure:
UserCheck Messages
Protocols
Extraction Method
Click to select which malicious parts the blade extracts, for example macros or JavaScript.
Converts the file to PDF, and keeps text and formatting.
Note - If you use PDFs in Right-to-Left languages or Asian fonts, we recommend that you DO NOT select the option. Otherwise, the formatting and content in the PDF can be significantly changed. Select the option to make sure that these files are processed correctly.
Extraction Settings
File Types
- On the page, configure these settings:
Click to not include specified users, groups, recipients or senders.
Click to select specified User Groups, Recipients or Senders.
Note:
A user is an object that can contain an email address with other details.
A group is an AD group or LDAP group of users
A recipient is an email address only.
Important: In , make sure that you have selected the option.
- On the page, configure these settings:
Logging
Threat Extraction Exceptions
Block or Allow corrupted files attached to the email. Corrupted files are files the blade fails to process, possibly because the format is incorrect. Despite the incorrect format, the related application (Word, Adobe Reader) can sometimes show the content.
Block removes the corrupt attachment and sends the recipient a text describing how the attachment contained potentially malicious content. You can block corrupt files if they are malicious according to Threat Emulation. If the action is block, you can deny access to the original corrupted file.
Allow lets the recipient receive the corrupt file attachment.
Block or Allow encrypted files attached to the email.
Block removes the encrypted attachment and sends the recipient a text file describing how the attachment contained potentially malicious content.
If the action is block, you can also deny access to the original encrypted file.
Allow lets the recipient receive the encrypted attachment.
Allow or Clean signed emails.
Signed emails are not encrypted, but the mail contents are signed to authenticate the sender. If the received email differs from the email that was sent, the recipient gets a warning. The digital signature is no longer valid.
Clean replaces the original attachment with an attachment cleaned of threats, or converts the attachment to PDF form. Both actions invalidate the digital signature. If the attachment does not include active content, the mail remains unmodified and the digital signature valid.
Allow does not change the email. The digital signature remains valid. Select this option to prevent altering digital signatures.
- Click .
Configuring Advanced Engine Settings for Threat Extraction
Advanced engine settings let you configure file type support and mail signatures for the Threat Extraction.
To configure file type support:
- Open SmartDashboard.
- On the tab, open .
- In the s area, click.
The window opens.
- From the list select which file types the Threat Extraction blade supports.
- Click .
To configure mail signatures:
- Open SmartDashboard.
- On the tab, open .
- In the s area, click .
The window opens.
Use this window to configure text for:
Predefined field codes can be inserted into the signature text, such as:
- A link to the file before it was modified by the blade.
The link opens the UserCheck Portal. The portal shows a list of attachments the recipient can download.
- Reference ID.
Use this ID to send the recipient the file. You can also find the ID in the logs.
On the gateway, run the command: scrub send_orig_email .
- Click .
Threat Extraction Statistics
You can see Threat Extraction statistics in SmartDashboard, and by running a number of commands on the CLI.
In SmartDashboard:
- Open tab > .
- Scroll to .
- Click .
On the CLI:
- Open the command line interface of the gateway with the Threat Extraction enabled.
- Run these commands:
cpview cpstat scrub -f threat_extraction_statistics
Using the Gateway CLI
The R77.30 gateway has a Threat Extraction menu to:
- Control debug messages
- Get information on queues
- Send the initial email attachments to recipients
To use the Threat Extraction command line:
- Log in to the Security Gateway.
- Enter expert mode.
- Enter:
scrub A menu shows these options:
Option
|
Description
|
debug
|
Controls debug messages.
|
queues
|
Shows information on Threat Extraction queues. Using this command helps you understand the queue status and load on the mail transfer agent (MTA) and the scrubd daemon. The command shows:
- Number of pending requests from the MTA to the
scrubd daemon - Maximum number pending requests from the MTA to the
scrubd daemon - Current number of pending request from
scrubd to scrub_cp_file_convert - Maximum number of pending requests from scrubd to
scrub_cp_file_convert
|
send_orig_email
|
Sends original email to recipients. To send the original email get:
- The reference number - Click on link in the email received by the user.
- The email ID - Found in the SmartView Tracker logs or debug logs.
|
bypass
|
Bypasses all files. Use this command to debug issues with the scrub (Threat Extraction) daemon. When you set bypass to active, requests from the mail transfer agent (MTA) to the scrub daemon are not handled. Threat Extraction is suspended. No files are cleaned.
|
Troubleshooting the Threat Extraction Blade
This section covers common problems and solutions.
The Threat Extraction blade fails to extract threats from emails belonging to LDAP users
In , make sure that you have selected the option.
Mails with threats extracted do not reach recipients
- Make sure the gateway passed the MTA connectivity test during the First Time Configuration Wizard.
- Disable then enable the Threat Extraction blade.
- Complete the First Time Configuration Wizard again.
- Make sure the wizard passes the connectivity test.
- Test the connection to the target MTA.
- Open a command prompt on the gateway.
- Telnet to port 25 of the designated Mail Transfer Agent.
Threat Extraction fails to extract threats from emails
- Open .
- Make sure you selected .
- Access the organizations mail relay. Configure the Threat Extraction gateway as the relay's next hop.
Users have stopped receiving emails
- On the gateway command line interface, run:
scrub queues .If the queues are flooded with requests, the Threat Extraction load is too high for the gateway.
- Bypass the scrub daemon.
Run: scrub bypass on .
- Ask affected users if they are now receiving their emails. If they are, reactivate Threat Extraction.
To reactivate, run: scrub bypass off .
- Make sure the queue is not full.
- Run:
/opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p
- If the queue is full, empty the queue.
Run:
/opt/postfix/usr/sbin/postsuper -c /opt/postfix/etc/postfix/ -d ALL
Emptying the queue loses the emails
- To prevent losing important emails, flush the queue. Flushing forcefully resends queued emails.
Run:
/opt/postfix/usr/sbin/postfix -c /opt/postfix/etc/postfix/ flush
- If queues remain full, make sure that the MTA is not overloading the gateway with internal requests. The MTA should be scanning only emails from outside of the organization.
Users have no access to original attachments
Make sure users are able to access the UserCheck portal from the e-mail they get when an attachment is cleaned.
- Click the link sent to users.
- Make sure that the UserCheck Portal opens correctly.
- If users are not able to access the UserCheck portal but see the Gaia portal instead, make sure that accessibility to the UserCheck portal is correctly configured.
- In , open .
- Under , click .
- Make sure the correct option is selected according to the topology of the gateway.
- Open .
Make sure the access to original attachments statistic is no longer zero.
Attachments are not scanned by Threat Extraction
The scanned attachment statistic in CPView fails to increment.
On the gateway:
- Make sure that the disk or directories on the gateway are not full.
- Run
df –h on the root directory of the disk - Run
df -h on: /var/log
- Make sure directories used by Threat Extraction can be written to.
Run:
touch /tmp/scrub/test touch /var/log/jail/tmp/scrub/test touch $FWDIR/tmp/email_tmp/test
CPView shows Threat Extraction errors
In CPview > Software-blades > Threat-extraction > File statistics , the number for internal errors is high compared to the total number of emails.
- Open SmartView Tracker or SmartLog.
- Select the Blade.
- Add the column for the Activity and look for errors.
If the ThreatSpect engine is overloaded or fails while inspecting an attachment, a log is generated. By default, attachments responsible for log errors are still sent to email recipients. To prevent these attachments being sent, set the engine’s fail-over mode to .
- In SmartDashboard, open .
- Under , select.
The Threat Extraction blade continues to scan, but attachments that generate internal system errors are prevented from reaching the recipient.
Corrupted attachments cannot be cleaned, and by default generate log entries in SmartView Tracker and SmartLog. Corrupted attachments are still sent to the email recipient. To prevent corrupted attachments from reaching the recipient:
- In SmartDashboard, open .
- In the area, select for attachments.
Attachments look disordered after conversion to PDF
- On the tab, open.
- In the area, select and click .
The window opens.
- For the pdf file type, set the extraction method to .
|
|