Threat Extraction - General

What can I do here?

Use this window to configure:

• UserCheck settings
• Mail Protocol
• Extraction Settings
• File types

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Profiles > Profile > Edit > Threat Extraction > General

Configuring Threat Extraction Settings

To configure Threat Extraction settings for a Threat Prevention profile:

1. In the Security Policies view > Threat Tools section, click Profiles.
2. Right-click a profile and select Edit.

   The Profiles properties window opens.

3. On the General Policy page in the Blade Activation area, select Threat Extraction.
4. Configure these Threat Extraction Settings:
   • General
   • Advanced.
5. Click OK.

Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613.

Threat Extraction General Settings

On the Threat Extraction > General page, you can configure these settings:

UserCheck Settings

• Allow the user to access the original file
• Allow access to original files that are not malicious according to Threat Emulation

  Note - This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.

• UserCheck Message

  Select a message to show the user when the user receives the clean file. In this message, the user selects if they want to download the original file or not. To select the success or cancelation messages of the file download, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings > UserCheck. You can create or edit UserCheck messages on the UserCheck page. You can customize a UserCheck message only for SMTP files. For HTTP files (supported on R80.30 gateways and above), the message which the user gets is not customizable in SmartConsole. You can only customize it on the gateway.

  • Optional: To give the user access to the original email, you can add the Send Original Mail field in the Threat Extraction Success Page. Go to Threat Prevention > Threat Tools > UserCheck > Threat Extraction Success Page > Right-click > Clone > Click inside the message > Insert Field > Select Send Original Mail.

    Send Original Mail is added to the message body.

Protocol

• Web (HTTP/HTTPS) - Supported from R80.30 gateways and above. To allow web support, enable HTTPS Inspection. By default, Threat Extraction web support works on these standard ports: HTTP - Port 80, HTTPS - Port 443, HTTPS Proxy - 8080.

  To enable web support on other ports, create a new TCP service. In General > Protocol select HTTP, and in Match By, select Customize and enter the required port number.

  Notes:

  • After a file is scanned by the Threat Extraction blade, the user receives a message on the action that was done on the file. To customize the message, see sk142852.
  • Threat Extraction web support applies to web downloads, but not web uploads.
• Mail (SMTP) - Click Mail to configure the SMTP traffic inspection by the Threat Extraction blade. This links you to the Mail page of the Profile settings.

For information on storage of the original files, see Storage of Original Files.

Extraction Method

• Extract potentially malicious parts from files - Selected by default

  Click Configure to select which malicious parts the blade extracts. For example, macros, JavaScript, images and so on.

• Convert to PDF - Converts the file to PDF, and keeps text and formatting. Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly.

Extraction Settings

• Process all files - selected by default
• Process malicious files when the confidence level is:

  Set a low, medium or high confidence level. This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.

File Types

• Process all enabled file types - This option is selected by default. Click the blue link to see the list of supported file types. Out of the supported file types, select the files to be scanned by the Threat Extraction blade.

  Note - you can find this list of supported file types also in Manage & Settings view > Blades > Threat Prevention > Advanced Settings > Threat Extraction > Configure File Type Support.

• Process specific file type families -

  Here you can configure a different extraction method for certain file types. Click Configure to see the list of enabled file types and their extraction methods. To change the extraction method for a file type, right-click the file type and select: bypass, clean or convert to pdf. You can select a different extraction method for Mail and Web.

Notes:

• Supported file types for web are: Word, Excel, PowerPoint and PDF.

For e-mail attachments:

• For jpg, bmp, png, gif, and tiff files - Threat Extraction supports only extraction of potentially malicious content.
• For hwp, jtd, eps, files - Threat Extraction supports only conversion to pdf.
• For Microsoft Office and PDF files and all other file types on the list - Threat Extraction supports both extraction of potentially malicious content and conversion to pdf.
• You can also configure supported file types in the configuration file. For explanation, see sk112240.

Protected Scope

Threat Extraction protects incoming files from external interfaces and DMZ. The user cannot configure the protected scope.

Threat Extraction Advanced Settings

On the Threat Extraction > Advanced page, you can configure these settings:

• Logging
  • Log only those files from which threats were extracted - Logs only files on which an operation was performed (clean or convert).
  • Log every file - Every file that is selected in Threat Extraction > General > File Types is logged, even if no operation was performed on them.
• Threat Extraction Exceptions
  • Corrupted files

    Block or Allow corrupted files attached to the email or downloaded from the web. Corrupted files are files the blade fails to process, possibly because the format is incorrect. Despite the incorrect format, the related application (Word, Adobe Reader) can sometimes show the content.

    Block removes the corrupted file and sends the recipient a text which describes how the file contained potentially malicious content. You can block corrupt files if they are malicious according to Threat Emulation. If the action is block, you can deny access to the original corrupted file.

    Allow lets the recipient receive the corrupted file.

  • Encrypted files

    Block or Allow encrypted files attached to the email or downloaded from the web.

    Block removes the encrypted file and sends the recipient a text file which describes how the file contained potentially malicious content.

    If the action is block, you can also deny access to the original encrypted file.

    Allow lets the recipient receive the encrypted file.