topic Using CP Infinity Portal How does one find out what was extracted or triggered threat extraction? in Browse

Using CP Infinity Portal How does one find out what was extracted or triggered threat extraction?

Tony_Graham — Mon, 19 Dec 2022 19:07:36 GMT

I have a user that received a file that in the logs shows it had triggered TEX.

Using the panel on the right side of Infinity portal shows it has threat of Low, confidence High but

it offers no detail as to what the threat was. I don't find this of much value.

'Yah, there was a threat. We got rid of it.'

It would be nice to know what the threat

was so that our user could inform the sender they may themselves be infected with

malware. For businesses with close personal relationships and daily transactions with

one another this sort of thing is very important.

I see no way to drill down into the

threat for additional detail and the details provided offer nothing more than technical

mumbo jumbo about resource URL's, file hashes byte size and a vague Description.

I guess that makes this a request for additional functionality. Something

like Adware/TrackingPixel or EmbeddedWebLink/Graphic would be helpful in

understanding the nature of what was removed during TEX.

Thanks.

Re: Using CP Infinity Portal How does one find out what was extracted or triggered threat extraction

PhoneBoy — Wed, 21 Dec 2022 01:59:20 GMT

Every supported file type will invoke Threat Extraction whether or not it’s actually malicious.
Documents are reconstructed in a way that potentially malicious content won’t be there (for example, VB Macros will be removed).
Or the document will be converted to PDF, if that’s how you configure the policy.
The precise details of how Threat Extraction does this are not documented anywhere and there is no logging provided about what was done.

If you want to know if a document is actually malicious or not (and how), use Threat Emulation.
In fact, that’s how Threat Extraction is intended to be used (with Threat Emulation).
Threat Emulation reports provide details about how the document was malicious (if it was).

Hope that helps.

Re: Using CP Infinity Portal How does one find out what was extracted or triggered threat extraction

AdiGH — Sun, 28 May 2023 10:03:15 GMT

Hi @Tony_Graham - wanted to circle back to this request you made a couple of months ago.
Although the response you've got from @PhoneBoy is correct, I agreed with the need to provide additional information on the extracted content.
Therefore, we've added to the logs under "Description" the name of the elements that were removed (according to the defined list we have in the portal).
This is already in production for FireFox downloads and will shortly be available for downloads from all supported browsers.

I hope you'll find this useful.