Attachment Cleaning (Threat Extraction)
Attachment Cleaning (Threat Extraction) is a Content Disarm and Reconstruction (CDR) engine that serves as an additional layer of security for email attachments on top of the Anti-Malware engine.
After the Anti-Malware security engine determines an attachment is not malicious, Attachment Cleaning (Threat Extraction) delivers a secure version of the attachment to the end user, removing hyperlinks behind text, macros, and other active content that may contain malware.
Administrators can allow end-users to retrieve the original version of the attachment. This action does not require the help desk's intervention. To configure the attachment cleaning workflow, see Configuring Attachment Cleaning (Threat Extraction).
File Sanitization Modes
Attachment Cleaning (Threat Extraction) can create a safe version of an email attachment in these ways:
-
Clean - removes macros, embedded objects, and any active content from the attachment while maintaining the file type.
For example, if a DOC file is cleaned, the end user will get a modified DOC file. -
Convert - the file is converted into PDF format, regardless of its original file type, ensuring no active content can ever be a part of it.
For example, if a DOC file is converted, the end user will get the file in PDF format.
Note - While the Convert option is considered to be secure, it has an impact on user experience and productivity. Unless there are strict regulatory or organizational policy requirements, we recommend using the Clean option to deliver only PDF files.
Configuring Attachment Cleaning (Threat Extraction)
To configure Attachment Cleaning (Threat Extraction) for Office 365 Mail or Gmail:
- Click Policy on the left panel of the Avanan Portal.
- Open the Threat Detection policy for Office 365 Mail or Gmail if available, and continue from step 6.
or - Click Add a New Policy Rule.
- In the Choose SaaS drop-down list, select the SaaS application (Office 365 Mail or Gmail).
- In the Choose Security drop-down list, select Threat Detection and click Next.
- Select the Prevent (Inline) protection mode.
- Scroll down to the Attachment Cleaning (Threat Extraction) section and select the Clean attachments before delivering to end users checkbox.
- In the Clean field, select an option.
- To clean all the file types, select All supported file types.
Note - When this option is selected, the Convert option is disabled. - To clean only some file types, select Only specific file types and enter the required file types.
For the supported file types, see Supported file types. - To exclude some file types from cleaning, select All supported file types except and enter the required file types.
- To stop cleaning the files, select None.
- To clean all the file types, select All supported file types.
- In the Convert field, select an option.
- To convert all the file types, select All supported file types.
Note - When this option is selected, the Clean option is disabled. - To convert only some file types, select Only specific file types and enter the required file types.
For the supported file types, see Supported file types. - To exclude some file types from converting, select All supported file types except and enter the required file types.
- To stop converting the files, select None.
- To convert all the file types, select All supported file types.
- In the Attachment cleaning workflow drop-down, select the workflow required. See Attachment Cleaning Workflows.
- Click Save and Apply.
Note - Avanan does not clean attachments in an email if both these conditions are satisfied:
- There are other attachments in the same email that are password-protected.
- The password-protected attachments workflow is configured as Require end-user to enter a password.
Attachment Cleaning (Threat Extraction) Workflows
The administrators can select any of these workflows for attachment cleaning.
Workflow | Description |
User is allowed to request a restore for any attachment (admin must approve) | The user is allowed to request for restoring the original attachments. The attachments are restored only after the admin approves. |
User is allowed to restore benign attachments only |
The user can request to restore the attachments. If the attachments are benign, they are restored immediately. |
User is allowed to restore any attachment | The user can request to restore the attachments and they are restored immediately. |
Supported file types for Attachment Cleaning (Threat Extraction)
File Type | File Extensions |
Adobe FDF | FDF |
Adobe PDF (all versions) | |
Microsoft Excel 2007 and later | XLSX, XLSB, XLSM, XLTX, XLTM, XLAM |
Microsoft Excel 2007 Binary | XLSB |
Microsoft Excel 97 - 2003 | XLS |
Microsoft PowerPoint 2007 and later | PPTX, PPTM, POTX, POTM, PPAM, PPSX, PPSM |
Microsoft PowerPoint 97 - 2003 | PPT, PPS, POT, PPA |
Microsoft Word 2007 and later | DOCX, DOCM, DOTX, DOTM |
Microsoft Word 97 - 2003 | DOC, DOT |
Original Attachments vs Cleaned Attachments
In the Attachment Cleaning process, some components of the attachment are removed or disabled.
By default, these components of the attachment are cleaned, and depending on the file type being cleaned, specific components of the attachment may be removed, as shown in this table:
Code | File Type | Description |
1018 | All supported file types | Query to a remote database |
1019 | All supported file types | Files and objects embedded in the documents |
1021 | All supported file types | Stored data for fast document saving |
1026 | All supported file types | Microsoft Office macros and PDF JavaScript code |
1034 | All supported file types | Links to network or local file paths |
1137 | Open other PDF files | |
1139 | PDF launch action | |
1141 | Open Uniform Resource Identifier (URI) resources | |
1142 | Play sound objects | |
1143 | Play movie files | |
1150 | Execute JavaScript code | |
1151 | Submit data to remote locations |
To configure Avanan to clean additional parts of attachments that are not cleaned by default, contact Avanan Support.
Code | File Type | File Part |
500 | All supported file types | Images embedded in documents |
1017 | All supported file types | Custom document properties |
1025 | All supported file types |
Links to files that are reviewed by another application |
1036 | All supported file types | Statistic document properties |
1037 | All supported file types | Summary document properties |
1178 | Embedded 3D Artwork |
Viewing Emails with Cleaned Attachments
You can view these details in the Emails with Modified Attachments page.
-
Emails with attachments, where the links in the attachments were replaced. See Click-Time Protection.
-
Emails with attachments that were cleaned. See Attachment Cleaning (Threat Extraction).
Note - The page does not show emails where links in the email body were replaced.
Sending the Unmodified Emails to End Users
To send the original email to the end-user, do one of these.
-
From the Modified Attachments page.
-
Go to User Interaction > Modified Attachments.
-
To send an original email, click the vertical ellipses icon for the email from the last column of the request table and select Send Original.
-
To send multiple emails at a time, select the emails and click Send Original from the top-right corner of the page.
-
Click OK.
-
-
From the Email profile page.
-
Open the email profile page.
-
In the Email Profile section, click Send next to Send Original Email.
-
Click OK.
-
If a policy is configured to clean the files, if a file is sent in an email, the end-user receives the email with a cleaned file. By default, the cleaned file will have threat_extracted_ mentioned before the file name.
If a policy is configured to convert the files, if a file is sent in an email, the end-user always receives the email with converted PDF file. By default, the converted PDF file will have threat_extracted_ mentioned before the file name.
To request to restore the original email by the end-user:
- Click the link below the attachment in the email.
-
If prompted, enter the reason for restoring the attachment, and click Submit.
Note - This screen appears only when the Attachment cleaning workflow is configured such that the admin must approve to restore the original attachment.
After you submit, the administrator receives the request.
After the administrator approves, the user receives the original email. - If the Attachment cleaning workflow is configured such that it does not require admin approval to restore the attachment, the original email is delivered to the end user immediately.
For more information on who receives the restored emails, see Who Receives the Emails Restored from Quarantine.