Support Center > Search Results > SecureKnowledge Details
Threat Extraction image cleaning and other enhancements hotfix Technical Level
Solution

Table of Contents:

  1. Introduction
  2. Downloads
  3. List of New Features
  4. List of resolved issues per Topic
  5. Hyperlink Support
  6. Limitations

 

(1) Introduction

The Threat Extraction image cleaning and other enhancements hotfix for Security Gateway includes stability and quality fixes resolving issues, as well as new features on Threat Extraction products.

The list below describes each new feature and resolved issue.

 

(2) Downloads

This Hotfix is included in Jumbo Hotfix Accumulator for R77.30 - since Take_198

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (Security Gateway).

 

(3) List of New Features

ID Title Description
02005542 Support for additional File Types See sk112240 - How to add support for new file types in Threat Extraction.
02078524 Clean images inside documents

Cleans jpeg, gif (animation is removed), bmp, png and tiff inside documents (additional clean parts).

This feature is enabled by default.

Supported document types: docx, xlsx, pptx, pdf, doc, xls, ppt

  • To Enable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/file_convert.conf file:
      cp -v $FWDIR/conf/file_convert.conf $FWDIR/conf/file_convert.conf_BKP
    4. Edit the current $FWDIR/conf/file_convert.conf file:
      vi $FWDIR/conf/file_convert.conf
    5. Set the value of "scrub_clean_images_in_documents" to "1"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy
    8. Kill the scrub_cp_file_convertd process (it will be restarted automatically):
      kill -9 $(pidof scrub_cp_file_convertd)

  • To Disable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/file_convert.conf file:
      cp -v $FWDIR/conf/file_convert.conf $FWDIR/conf/file_convert.conf_ENABLED
    4. Edit the current $FWDIR/conf/file_convert.conf file:
      vi $FWDIR/conf/file_convert.conf
    5. Set the value of "scrub_clean_images_in_documents" to "0"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy
    8. Kill the scrub_cp_file_convertd process (it will be restarted automatically):
      kill -9 $(pidof scrub_cp_file_convertd)
01988578 Ability for the end users to send the original e-mail to their mailbox through UserCheck portal (instead of downloading the cleaned files) Allows the end users to send the original e-mail to their mailbox through "Approve" page of the UserCheck portal.

This feature is disabled by default

A new textbox and a "Send" button will be added to UserCheck "Approve" page of Threat Extraction

The user can write his e-mail address in the text box (the address should be the same as that written in the original e-mail). The user will receive the original e-mail to his mailbox.

  • To Enable:

    1. Add the $send_original_mail$ to User Check Approval page of Threat Extraction.
    2. Install Threat Prevention policy.

  • To Disable:

    1. Remove the $send_original_mail$ from User Check Approval page of Threat Extraction.
    2. Install Threat Prevention policy.

Notes:

  • The user must be one of the original recipients.
  • The strings used in the feature can be changed in:
    /opt/CPUserCheckPortal/phpincs/conf/L10N/portal_en.php
01989472 Granular control of cleaned file name

After the Extraction/Conversion, the output file can have (besides its new extension) its original extension and some additional text, like "cleaned".

This feature is enabled by default

The default value for the additional text is "cleaned", so "file.doc" after scrubbing will be called "file.cleaned.doc.pdf"

Add a permanent string to filename (by default, "clean"):

Starting R80.10 Jumbo HF take_142 please see sk127832.

  • To Enable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/file_convert.conf file:
      cp -v $FWDIR/conf/file_convert.conf $FWDIR/conf/file_convert.conf_BKP
    4. Edit the current $FWDIR/conf/file_convert.conf file:
      vi $FWDIR/conf/file_convert.conf
    5. Set the value of "add_cleaned_txt_to_filename" to "1"
    6. Set the desired text for "cleaned_txt"(for example, : cleaned_txt ("cleaned"))
    7. Save the changes and exit from Vi editor
    8. Install the Threat Prevention policy
    9. Kill the scrub_cp_file_convertd process (it will be restarted automatically):
      kill -9 $(pidof scrub_cp_file_convertd)

  • To Disable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/file_convert.conf file:
      cp -v $FWDIR/conf/file_convert.conf $FWDIR/conf/file_convert.conf_ENABLED
    4. Edit the current $FWDIR/conf/file_convert.conf file:
      vi $FWDIR/conf/file_convert.conf
    5. Set the value of "add_cleaned_txt_to_filename" to "0"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy
    8. Kill the scrub_cp_file_convertd process (it will be restarted automatically):
      kill -9 $(pidof scrub_cp_file_convertd)

Add the original extension from the converted file:

Starting R80.30 please see sk127832.

  • To Enable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/file_convert.conf file:
      cp -v $FWDIR/conf/file_convert.conf $FWDIR/conf/file_convert.conf_BKP
    4. Edit the current $FWDIR/conf/file_convert.conf file:
      vi $FWDIR/conf/file_convert.conf
    5. Set the value of "add_orig_ext_to_filename" to "1"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy
    8. Kill the scrub_cp_file_convertd process:
      kill -9 $(pidof scrub_cp_file_convertd)

  • To Disable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/file_convert.conf file:
      cp -v $FWDIR/conf/file_convert.conf $FWDIR/conf/file_convert.conf_ENABLED
    4. Edit the current $FWDIR/conf/file_convert.conf file:
      vi $FWDIR/conf/file_convert.conf
    5. Set the value of "add_orig_ext_to_filename" to "0"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy
    8. Kill the scrub_cp_file_convertd process:
      kill -9 $(pidof scrub_cp_file_convertd)
01695841 Add new Threat Extraction blade counters to CPview (sk101878) The new Threat Extraction blade counters show details for number of converted/cleaned files via either web or e-mail. If these counters were not in CPview before installing the hotfix, then the counters will be reset to zero in order to be consistent with the displayed values.
01970646 Create exceptions to a policy of stripping files whose type and extension do not match

A new feature will allow administrators to create exceptions to a policy of stripping files whose type and extension do not match.

This feature is disabled by default.

It can be configured in $FWIDR/conf/scrub_debug.conf file.

This feature is relevant only when blocking of unsupported files is enabled:

:block_unsupported_files (1)

Example configuration:

:valid_file_ext_mismatch (
          : (doc
            : ("rtf")
            : ("txt")
          )
          : (docx
            : ("rtf")
          )
        )

In the example above, files with the extension "doc" of types "rtf" and "txt", and files with the extension "docx" of type "rtf" are allowed.

Notes:

  • All values should be added in lower-case.
  • There should not be any repeats of values in any object.
02012906 Backup original file when file conversion fails

Keep the original file in the Security Gateway, in cases file conversion fails (mostly used for debugging).

This feature is disabled by default.

  • To Enable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_BKP
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_backup_original_file_in_case_of_error" to "1"
    6. Set the desired storage directory in "backup_path_for_original_file_in_case_of_error"
    7. Save the changes and exit from Vi editor
    8. Install the Threat Prevention policy

  • To Disable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_ENABLED
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_backup_original_file_in_case_of_error" to "0"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy
01684837 Fallback action in case of cleaning failure Enabling converting to PDF in case of cleaning failure and vice versa.

This feature is enabled by default.

  • To Enable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_BKP
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_alternative_scrub_method" to "1"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy

  • To Disable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf 
      $FWDIR/conf/scrub_debug.conf_ENABLED
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_alternative_scrub_method" to "0"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy
01684837 Add a disclaimer about corrupted, encrypted, stripped, cleaned and converted files

Adding file-specific information about the result of scrubbing for each of the attachments.

This feature is disabled by default.

Starting R80.10 Jumbo HF take_142 please see sk127832.

Configure a file-specific disclaimer in case of successful scrubbing:

  • To Enable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_BKP
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_successul_disclaimer" to "1"
    6. Set the desired disclaimer for clean file in "successful_disclaimer_clean"
      (for example, :successful_disclaimer_clean ("active content was removed"))
    7. Set the desired disclaimer for converted file in "successful_disclaimer_convert"
      (for example, :successful_disclaimer_convert ("files(s) were successfully converted to PDF"))
    8. Save the changes and exit from Vi editor
    9. Install the Threat Prevention policy

  • To Disble:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_ENABLED
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_successul_disclaimer" to "0"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy

Configure a file-specific disclaimer in case of an encrypted file:

  • To Enable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_BKP
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_encrypted_disclaimer" to "1"
    6. Set the desired disclaimer for encrypted files in "encrypted_disclaimer"
      (for example, :encrypted_disclaimer ("files(s) are encrypted, therefore were not processed"))
    7. Save the changes and exit from Vi editor
    8. Install the Threat Prevention policy

  • To Disable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_ENABLED
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_encrypted_disclaimer" to "0"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy

Configure a file-specific disclaimer in case of a corrupted file:

  • To Enable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_BKP
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_corrupted_disclaimer" to "1"
    6. Set the desired disclaimer for corrupted files in "encrypted_disclaimer"
      (for example, :enable_corrupted_disclaimer ("files(s) are corrupted, therefore were not processed"))
    7. Save the changes and exit from Vi editor
    8. Install the Threat Prevention policy

  • To Disable:

    1. Connect to the command line on the Security Gateway
    2. Log in to the Expert mode
    3. Backup the current $FWDIR/conf/scrub_debug.conf file:
      cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_ENABLED
    4. Edit the current $FWDIR/conf/scrub_debug.conf file:
      vi $FWDIR/conf/scrub_debug.conf
    5. Set the value of "enable_corrupted_disclaimer" to "0"
    6. Save the changes and exit from Vi editor
    7. Install the Threat Prevention policy

Configure a file-specific disclaimer in case of a stripped file:

  1. Connect to the command line on the Security Gateway
  2. Log in to the Expert mode
  3. Backup the current $FWDIR/conf/scrub_debug.conf file:
    cp -v $FWDIR/conf/scrub_debug.conf $FWDIR/conf/scrub_debug.conf_BKP
  4. Edit the current $FWDIR/conf/scrub_debug.conf file:
    vi $FWDIR/conf/scrub_debug.conf
  5. Set the desired disclaimer for stripped files in "stripped_disclaimer"
    (for example, :stripped_disclaimer ("file(s) were stripped"))
  6. Save the changes and exit from Vi editor
  7. Install the Threat Prevention policy

 

(4) List of Resolved Issues per Topic

ID Title Description
01932814 Bad quality of converted-to-PDF documents

Download updates from Check Point Download Center to improve conversion-to-PDF results.
This feature requires connectivity to the internet from the Security Gateway.

Additional CLI commands:

  • scrub update show current

    Shows the current installation revision and its state (during installation/installed, etc.).
    The baseline revision is called "Base".

  • scrub update control revert

    Revert the latest installed revision (New installations will not be installed after using this command. It is used for debugging.

  • scrub update control resume

    Install the latest downloaded revision. New downloads will be installed.
02016102 Support embedding fonts using Convert-to-PDF method Improved rendering of PDF safe copy
02163548 Support Cyrillic fonts using Convert-to-PDF method Improved rendering of PDF safe copy
02003050 No disclaimer is added if e-mail has no body No disclaimer is added if e-mail has no body
02386779 Disable Parallel Extraction when Threat Extraction is configured in "Detect" mode Disable Parallel Extraction when Threat Extraction is configured in "Detect" mode
01711095,
02018325		 Wrong filename is given to the original file when downloaded in IE8 or Safari on Windows Original files downloaded as "ScrubGetFile" in IE8 or Safari on Windows
02330277 Threat Extraction E-mail disclaimer is garbled when setting the disclaimer in Japanese Threat Extraction E-mail disclaimer is garbled when setting the disclaimer in Japanese
01978917 Users cannot scan files with size up to 15MB via Threat Extraction extension Allow Threat-Extraction extension to handle files up to 15MB (matched to Threat Emulation file size)

(4) Hyperlink Support

Extract: In PDF files all URI will be extracted, in Office Files [Word,Excel,PowerPoint] only "Sensitive Hyperlinks".

A hyperlink is considered sensitive if it begins with 'file:', begins with a drive letter followed by a colon OR begins with two Backslashes.

Convert: In covert to PDF we convert the file to PDF, URL will be converted to text and the link will not be removed.

(5) Limitations

Cleaning TIFF images in PDF files may corrupt some files, the default behaiver is to clean TIFF images on PDF files,

In order to change the default behaiver and to disable TIFF cleaning on PDF files see sk137892.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment