Threat Extraction

Threat Extraction - General

What can I do here?

Use this window to configure:

UserCheck settings
Mail Protocol
Extraction Settings
File types

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Profiles > Profile > Edit > Threat Extraction > General

Configuring Threat Extraction Settings

To configure Threat Extraction settings for a Threat Prevention profile:

In the Security Policies view > Threat Tools section, click Profiles.
Right-click a profile and select Edit.
The Profiles properties window opens.
On the General Policy page in the Blade Activation area, select Threat Extraction.
Configure these Threat Extraction Settings:
- General
- Advanced.
Click OK.

Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613.

Threat Extraction General Settings

On the Threat Extraction > General page, you can configure these settings:

UserCheck Settings
- Allow the user to access the original file
- Allow access to original files that are not malicious according to Threat Emulation
  Note - This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.
- UserCheck Message
  Select a message to show the user when the user receives the clean file. In this message, the user selects if they want to download the original file or not. To select the success or cancelation messages of the file download, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings > UserCheck. You can create or edit UserCheck messages on the UserCheck page.
- Optional: To give the user access to the original email, you can add the Send Original Mail field in the Threat Extraction Success Page. Go to Threat Prevention > Threat Tools > UserCheck > Threat Extraction Success Page > Right-click > Clone > Click inside the message > Insert Field > Select Send Original Mail.
  Send Original Mail is added to the message body.
Protocol
- Mail (SMTP) - Click Mail to configure the SMTP traffic inspection by the Threat Extraction blade. This links you to the Mail page of the Profile settings.
Extraction Method
- Extract potentially malicious parts from files - Selected by default
  Click Configure to select which malicious parts the blade extracts. For example, macros, JavaScript, images and so on.
- Convert to PDF -
  Converts the file to PDF, and keeps text and formatting.
Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly.
Extraction Settings
- Process all files - selected by default
- Process malicious files when the confidence level is:
Set a low, medium or high confidence level. This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.
File Types
- Process all enabled file types - This option is selected by default. Click the blue link to see the list of supported file types. Out of the supported file types, select the files to be scanned by the Threat Extraction blade.
  Note - you can find this list of supported file type also in Manage & Settings view > Blades > Threat Prevention > Advanced Settings > Threat Extraction > Configure File Type Support.
- Process specific file type families -
  Here you can configure a different extraction method for certain file types. Click Configure to see the list of enabled file types and their extraction methods. To change the extraction method for a file type, right-click the file type and select: bypass, clean or convert to pdf.
Notes:
- For jpg, bmp, png, gif, and tiff files - Threat Extraction supports only extraction of potentially malicious content.
- For hwp, jtd, eps, files - Threat Extraction supports only conversion to pdf.
- For Microsoft Office and PDF files and all other file types on the list - Threat Extraction supports both extraction of potentially malicious content and conversion to pdf.
- You can also configure supported file types in the configuration file. For explanation, see sk112240.

Threat Extraction Advanced Settings

On the Threat Extraction > Advanced page, you can configure these settings:

Logging
- Log only those files from which threats were extracted - Logs only files on which an operation was performed (clean or convert).
- Log every file - Every file that is selected in Threat Extraction > General > File Types is logged, even if no operation was performed on them.
Threat Extraction Exceptions
- Corrupted files
  Block or Allow corrupted files attached to the email or downloaded from the web. Corrupted files are files the blade fails to process, possibly because the format is incorrect. Despite the incorrect format, the related application (Word, Adobe Reader) can sometimes show the content.
  
  Block removes the corrupted file and sends the recipient a text which describes how the file contained potentially malicious content. You can block corrupt files if they are malicious according to Threat Emulation. If the action is block, you can deny access to the original corrupted file.
  
  Allow lets the recipient receive the corrupted file.
- Encrypted files
  Block or Allow encrypted files attached to the email or downloaded from the web.
  
  Block removes the encrypted file and sends the recipient a text file which describes how the file contained potentially malicious content.
  
  If the action is block, you can also deny access to the original encrypted file.
  
  Allow lets the recipient receive the encrypted file.