Support Center > Search Results > SecureKnowledge Details
Threat Emulation detects a Malicious file even if the action is set to Prevent Technical Level
Symptoms
  • The attached to the email zip file is stripped by Threat Extraction, although the Threat Emulation (Prevention) action is set to Prevent.

  • Allow log for Threat Extraction and Detect log for Threat Emulation are created (no Prevent log for Threat Emulation).
Cause

Threat Emulation and Threat Extraction are working in parallel.

Technical information

  1. docx/xlsx/pptx files are in fact some kind of zip files. You can change their extension to zip and they will open successfully. When a file reaches the MTA, it will first run Threat Extraction's quick file identification. This quick identification result in a zip file (even for docx files).

  2. The TE engine assumes that Threat Extraction can extract this kind of file and moves to detect and gives the file to Threat Extraction (parallel extraction feature)

  3. When the file arrives to Threat Extraction, it tries to extract the file. During this process a thorough file analysis is performed.
    If the attachment is a real zip file, Threat Extraction identifies the file as zip file (in this process it can positively confirm if the file is a real zip file or a docx file)

  4. Threat Extraction does not support zip files. 

  5. Since the parallel extraction is active, Threat Extraction waits for TE engine response. From here there are two options:

    1. Malicous attachment: file should arrive to the user as text which indicates that the file was removed. Log for the event should appear on TEX.
    2. Benign attachment: file should arrive normally to the user.

    The expected end result for Malicious zip file:

    Detect log in Threat Emulation
    Allow log - file not supported for Threat Extraction.

    User should receive a text file that indicates that a file was removed from the email.


Solution
Note: To view this solution you need to Sign In .