Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tony_Graham
Advisor
Jump to solution

Using CP Infinity Portal How does one find out what was extracted or triggered threat extraction?

I have a user that received a file that in the logs shows it had triggered TEX.

Using the panel on the right side of Infinity portal shows it has threat of Low, confidence High but

it offers no detail as to what the threat was. I don't find this of much value.

'Yah, there was a threat. We got rid of it.'

It would be nice to know what the threat

was so that our user could inform the sender they may themselves be infected with

malware. For businesses with close personal relationships and daily transactions with

one another this sort of thing is very important.

 

I see no way to drill down into the

threat for additional detail and the details provided offer nothing more than technical

mumbo jumbo about resource URL's, file hashes byte size and a vague Description.

 

I guess that makes this a request for additional functionality. Something

like Adware/TrackingPixel or EmbeddedWebLink/Graphic would be helpful in

understanding the nature of what was removed during TEX.

Thanks.

1 Solution

Accepted Solutions
AdiGH
Employee
Employee

Hi @Tony_Graham  - wanted to circle back to this request you made a couple of months ago. 
Although the response you've got from @PhoneBoy is correct, I agreed with the need to provide additional information on the extracted content. 
Therefore, we've added to the logs under "Description" the name of the elements that were removed (according to the defined list we have in the portal). 
This is already in production for FireFox downloads and will shortly be available for downloads from all supported browsers. 

AdiGH_0-1685268007919.png

 


I hope you'll find this useful. 

View solution in original post

(1)
2 Replies
PhoneBoy
Admin
Admin

Every supported file type will invoke Threat Extraction whether or not it’s actually malicious.
Documents are reconstructed in a way that potentially malicious content won’t be there (for example, VB Macros will be removed).
Or the document will be converted to PDF, if that’s how you configure the policy.
The precise details of how Threat Extraction does this are not documented anywhere and there is no logging provided about what was done.

If you want to know if a document is actually malicious or not (and how), use Threat Emulation.
In fact, that’s how Threat Extraction is intended to be used (with Threat Emulation).
Threat Emulation reports provide details about how the document was malicious (if it was).

Hope that helps.

0 Kudos
AdiGH
Employee
Employee

Hi @Tony_Graham  - wanted to circle back to this request you made a couple of months ago. 
Although the response you've got from @PhoneBoy is correct, I agreed with the need to provide additional information on the extracted content. 
Therefore, we've added to the logs under "Description" the name of the elements that were removed (according to the defined list we have in the portal). 
This is already in production for FireFox downloads and will shortly be available for downloads from all supported browsers. 

AdiGH_0-1685268007919.png

 


I hope you'll find this useful. 

(1)
Upcoming Events

    CheckMates Events