Threat Extraction is a technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more). This is a new approach for Threat Prevention: instead of determining whether a file is malicious or not, Threat Extraction cleans the file before it enters the organization. Threat Extraction prevents both known and unknown threats before they arrive to the organization, thus providing better protection against zero-day threats. This approach is considerably quicker than sandboxing the file with Threat Emulation, so has a much lower impact on user experience. Because of different file type support, Threat Extraction should always be used in combination with Threat Emulation.
Important: since R80.30, Threat Extraction supports HTTP/HTTPS.
Supported file formats
Threat Extraction supports the following primary file formats. Many other formats (such as Windows Metafile) that are commonly associated with these primary formats are also supported.
Starting from R80.30, Threat Extraction support HTTP/S extraction "inline" without the SandBlast Agent for Browsers browser extension.
On MTA mode it is possible to clean signed emails. on Threat Prevention profile under mail -> Exceptions -> signed email attachments -> change to "clean".
The mails will have the attachments in them cleaned, The mail itself will contain the signature which will now be invalid.
in General Threat Extraction does not support Extraction on all supported files with digital signatures.
PDFs with Digital signatures Will have the following behavior:
If the file contains Encrypted objects with a digital signatures and the document contains objects that Threat Extraction should remove, an error will be seen on SmartConsole Log indicating it. on MTA mode and Threat Extraction for web, Threat emulation will scan the file, and only if its benign the original will arrive to the end user.
If the file contains Encrypted objects with a digital signatures and the docuement does not contain objects that Threat Extraction should remove, the original will arrive to the end user with no errors.
If the file contains digital signature without encrypted objects, the file will be cleaned and the Digital signature will be broken - end user will see a warning that someone tampered with the documents.