This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
amith_rao
Contributor
‎2019-04-05 09:02 AM

Remove Hyperlink from the Body of the mail

Hi,

 

As we know that one of the Threat Extraction features offer removal of Hyperlink from the attachment of the mail. Similarly is it possible to remove the hyperlink from the body of the mail.

 

If threat Extraction cannot do this can any other blade offer this feature? 

 

 

0 Kudos
3 Replies
HeikoAnkenbrand
Champion
Champion
‎2019-04-06 08:42 AM

Start here:

ATRG: Mail Transfer Agent (MTA)

0 Kudos
amith_rao
Contributor
‎2019-04-06 12:09 PM
In response to HeikoAnkenbrand

Hi Heiko

The ATRG helps us understand how MTA works and the blades which can leverage this feature.

Supported blades for MTA feature are as follows: Threat Emulation, Threat Extraction, Anti-virus(R80.10 and above) Anti-Spam & E-mail Security.

But again my requirement is to scrap all the hyperlinks from the body of the Mail irrespective of whether the hyperlinks are genuine or not.

I am pretty much sure that the Threat extraction and Threat Emulation can do this on the attachments but not on the body of the mail.

At the same time, Anti-virus and Anti-bot blades can scan the mail body and only quarantine the Hyperlink found malicious.

But is there any option to quarantine all the hyperlink from mail body whether it is genuine or not? 

 

Regards

Amith

0 Kudos
Chinmaya_Naik
Advisor
‎2019-04-07 09:08 PM
In response to amith_rao

Hi Amith,

Refer the below link for more details.

https://community.checkpoint.com/t5/SandBlast-Network/SandBlast-and-links-inside-email/td-p/15798

As I summarize base on the discussion.

In MTA, Threat Emulation work only if that URL end with any file extension, like http://abc.com/xyz.pdf also http://abc.com leads to the PDF file to download (xyz.pdf)
 
It did not scan if it's not to leads any PDF or any known extension like simple http://abc.com
 
When enabling AV in MTA then URL reputation is checked over MTA base on the risk level. So if the risk level is  80 or below 80 then that malicious URL is not blocked even that the malicious URL have severity": "Medium", "confidence": "High".
 
As on the above scenario, URL is bypass but If the customer is using Checkpoint URL Filtering then when the user is open that malicious link its BLOCK by Checkpoint URL Filtering. Because CP URL filtering is working base on severity and confidence level, not by Risk level.
 
YES we can remove the malicious link from mail body but not sure about remove the all hyperlink that may genuine or not.
 
Thank You
 

 

0 Kudos