Check Point Document Threat Extraction Technology

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk101553
Technical Level
Product	Threat Extraction
Version	R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10
OS	Gaia, SecurePlatform 2.6, Crossbeam XOS
Platform / Model	All
Date Created	13-Jul-2014
Last Modified	31-Aug-2021

Solution

Threat Extraction Overview

Threat Extraction is a technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more).
This is a new approach for Threat Prevention: instead of determining whether a file is malicious or not, Threat Extraction cleans the file before it enters the organization.
Threat Extraction prevents both known and unknown threats before they arrive to the organization, thus providing better protection against zero-day threats.
This approach is considerably quicker than sandboxing the file with Threat Emulation, so has a much lower impact on user experience. Because of different file type support, Threat Extraction should always be used in combination with Threat Emulation.

Important: since R80.30, Threat Extraction supports HTTP/HTTPS.

Supported file formats

Threat Extraction supports the following primary file formats. Many other formats (such as Windows Metafile) that are commonly associated with these primary formats are also supported.

Format	Extensions	mail/Web/Both*	Supported Methods	Recommended Method
Adobe FDF	fdf	Both	Extract/Convert to PDF	Extract
Adobe PDF (all versions)	pdf	Both	Extract/Convert to PDF	Extract
Microsoft Docfile	Microsoft Visio, Microsoft Project, etc.	mail	Extract/Convert to PDF	Extract
Microsoft Excel 2007 and above	xlsx, xlsb, xlsm, xltx, xltm, xlam	Both	Extract/Convert to PDF	Extract
Microsoft Excel 2007 Binary	xlsb	Both	Extract/Convert to PDF	Extract
Microsoft Excel 97 - 2003	xls	Both	Extract/Convert to PDF	Extract
Microsoft PowerPoint 2007 and above	pptx, pptm, potx, potm, ppam, ppsx, ppsm	Both	Extract/Convert to PDF	Extract
Microsoft PowerPoint 97 - 2003	ppt, pps, pot, ppa	Both	Extract/Convert to PDF	Extract
Microsoft Word 2007 and above	docx, docm, dotx, dotm	Both	Extract/Convert to PDF	Extract
Microsoft Word 97 - 2003	doc, dot	Both	Extract/Convert to PDF	Extract
Rich Text Format	rtf	Both	Extract/Convert to PDF From R80.40 Engine update 2	Extract
Compressed graphic Format JPEG	jpeg,jpg,jpe,jfif	mail	Extract/Convert to PDF	Extract
Multi Picture Format File	mpo	mail	Convert to PDF	Bypass
Ichitaro word proccessing application	jtd	mail	Convert to PDF	Bypass
Hanword	hwp	mail	Convert to PDF	Bypass
Graphics interchange Format	gif	mail	Extract/Convert to PDF	Extract
Tagged Image File Format	tif,tiff	mail	Extract/Convert to PDF	Extract
Portable Network Graphics	png	mail	Extract/Convert to PDF	Extract
bitmap image file	bmp	mail	Extract/Convert to PDF	Extract
Device independent Bitmap file	dib	mail	Convert to PDF	Bypass
Encapsulated Postscript file	eps	mail	Convert to PDF	Convert to PDF
adobe Photoshop Document	psd	mail	Convert to PDF	Bypass
Targa Graphic	tga	mail	Convert to PDF	Bypass
Paintbrush bitmap image file	pcx	mail	Convert to PDF	Bypass
DICOM image	dcm	mail	Covnert to PDF	Bypass
JavaScript File	js	mail	Convert to PDF	Bypass
Extensible Markup Language	xml	mail	Convert to PDF	Bypass
Plain Text file	txt	mail	Convert to PDF	Bypass
Hypertext Markup Language	html	mail	Convert to PDF	Bypass

To experience this new technology, you may submit files to SandBlast Analysis Page by sending them to threats@checkpoint.com.

Important Notes

Threat Extraction blade is supported on Security Gateway in VSX mode in R80.10 or above.
Threat Extraction processes files over these protocols:
- over SMTP in MTA mode
- over HTTP / HTTPS in Browser Extensions and in Sandblast Agent
Starting from R80.30, Threat Extraction support HTTP/S extraction "inline" without the SandBlast Agent for Browsers browser extension.

Digital signatures

On MTA mode it is possible to clean signed emails. on Threat Prevention profile under mail -> Exceptions -> signed email attachments -> change to "clean".
- The mails will have the attachments in them cleaned, The mail itself will contain the signature which will now be invalid.
in General Threat Extraction does not support Extraction on all supported files with digital signatures.

PDFs with Digital signatures Will have the following behavior:

If the file contains Encrypted objects with a digital signatures and the document contains objects that Threat Extraction should remove, an error will be seen on SmartConsole Log indicating it. on MTA mode and Threat Extraction for web, Threat emulation will scan the file, and only if its benign the original will arrive to the end user.
If the file contains Encrypted objects with a digital signatures and the docuement does not contain objects that Threat Extraction should remove, the original will arrive to the end user with no errors.
If the file contains digital signature without encrypted objects, the file will be cleaned and the Digital signature will be broken - end user will see a warning that someone tampered with the documents.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating