Support Center > Search Results > SecureKnowledge Details
How to add support for new file types in Threat Extraction
Solution

Introduction

A new feature allows a Security Gateway administrator to add support for new file types in Threat Extraction blade.

New supported file types include:

File Type File Extensions Notes
Picture files jpeg, gif, png, tiff, bmp Can be cleaned
eps, psd, tga, pcx Can be converted to PDF
Text files rtf, hwp (Hancom), jtd (Ichitaro), and more Can be converted to PDF


Notes:

  • Some files may be determined by Threat Extraction blade to be corrupted. As a result, they cannot be cleaned. By default, Threat Extraction blade would wait for Threat Emulation blade's verdict for such files. However, some of the files mentioned in this article are not supported by Threat Emulation blade. The administrator should choose whether to allow or block corrupted files.
  • Instructions for blocking all corrupted files are provided below in the "How to block all corrupted files" section.
  • Instructions for blocking only the corrupted files that cannot be emulated are provided below in the sk115792 - Threat Extraction blade: How to block corrupted files that could not be emulated.

 

Feature availability

  • Support for new file types is included in Jumbo Hotfix Accumulator for R77.30 - since Take_198.

  • Support for new file types is included in Check Point R80.10.

  • For other R77.30 installations, contact Check Point Support to get the required Hotfix package that adds this feature.
    A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
    For faster resolution and verification, please collect CPInfo files from the Security Management Server and Security Gateways involved in the case.

 

How to enable support for new file types

Note: The feature is disabled by default.

  1. Connect to the command line on the Security Gateway.
  2. Log in to the Expert mode.
  3. Copy the $FWDIR/conf/template_scrub_additional_file_types file to $FWDIR/conf/scrub_additional_file_types:
    [Expert@HostName:0]# cp -vp $FWDIR/conf/template_scrub_additional_file_types $FWDIR/conf/scrub_additional_file_types
  4. Copy the $FWDIR/conf/template_scrub_fixed_file_types file to $FWDIR/conf/scrub_fixed_file_types:
    [Expert@HostName:0]# cp -vp $FWDIR/conf/template_scrub_fixed_file_types $FWDIR/conf/scrub_fixed_file_types
  5. Copy the /var/log/jail/$FWDIR/conf/template_scrub_supported_file_types file to /var/log/jail/$FWDIR/conf/scrub_supported_file_types:
    [Expert@HostName:0]# cp -vp /var/log/jail/$FWDIR/conf/template_scrub_supported_file_types /var/log/jail/$FWDIR/conf/scrub_supported_file_types
  6. Install the Threat Prevention policy.
  7. Kill the scrub_cp_file_convertd process:
    [Expert@HostName:0]# kill -9 $(pidof scrub_cp_file_convertd)

 

To disable support for new file types

Note: The feature is disabled by default.

  1. Connect to the command line on the Security Gateway.
  2. Log in to the Expert mode.
  3. Remove the $FWDIR/conf/scrub_additional_file_types file:
    [Expert@HostName:0]# rm -i $FWDIR/conf/scrub_additional_file_types
  4. Remove the $FWDIR/conf/scrub_fixed_file_types file:
    [Expert@HostName:0]# rm -i $FWDIR/conf/scrub_fixed_file_types
  5. Remove the /var/log/jail/$FWDIR/conf/scrub_supported_file_types file:
    [Expert@HostName:0]# rm -i /var/log/jail/$FWDIR/conf/scrub_supported_file_types
  6. Install the Threat Prevention policy.
  7. Kill the scrub_cp_file_convertd process:
    [Expert@HostName:0]# kill -9 $(pidof scrub_cp_file_convertd)

 

To block all corrupted files

  1. In SmartDashboard, go to the "Threat Prevention" tab and in the left tree, click on the "Policy":

  2. Double-click on the relevant Threat Prevention profile.
    In the opened window, expand the "Threat Extraction Settings" and click on the "Advanced":

  3. In the "Threat Extraction Exceptions" section, in the "Corrupred files" field, select "Block":

  4. Click on OK to apply the changes.

  5. Install the Threat Prevention policy.

 

To add a new file type to Threat Extraction blade

  1. Add the file extension to scrub_additional_file_types.
    See template_scrub_additional_file_types for example.
    Note: Delete the line of the file type in the template of scrub_additional_file_types if you need to stop cleaning.
  2. Add the file extension and method of extraction to scrub_fixed_file_types.
    The format is:
    <extension (lower case)>;<method>
    (see template_scrub_fixed_file_types for examples).
    Note: Modify method "1" for cleaning, or "2" for converting to PDF in the template of template_scrub_fixed_file_types.
  3. Add file ID and default extension to scrub_supported_file_types.
    The format is:
    <file ID> <extension>
    (see template_scrub_supported_file_types for examples).
    The necessary information for all the files listed above can be found in the attached template files.
  4. Connect to the command line on the Security Gateway.
  5. Log in to the Expert mode.
  6. Kill the scrub_cp_file_convertd process:
    [Expert@HostName:0]# kill -9 $(pidof scrub_cp_file_convertd)
  7. Install the Threat Prevention policy

Notes:

  • If you would like to attempt adding a different file type, the procedure for finding the file ID is below. Every file type can only have one default extension!
  • Note that while many files formats will be supported, we do not guarantee support for any file type not listed in this article.

 

How to find file type ID

(First check the template_scrub_supported_file_types. The file type ID may already be there.)

  1. Connect to the command line on the Security Gateway.
  2. Log in to the Expert mode.
  3. Start the debug of scrub_cp_file_convertd process:
    [Expert@HostName:0]# for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  4. Pass a file of the type you wish to add through the Security Gateway.
  5. Stop the debug:
    [Expert@HostName:0]# for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  6. Analyze the /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg* files.
    Search for:
    scrub_handle_unsupported_files: oem file_type
    The value will be an integer.
    If the ID value is "1999" or "0", then the file can not be converted.
Applies To:
  • 02005542 , 02296398

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment