Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend Legend
Legend

Downloading Original Document from Threat Extraction

I must admit that i really love Threat Extraction Smiley Happy . But how to get the original files if needed, but the download link does not work anymore ? There is a solution in sk114629 How to send original email after Threat Extraction scrubbed the email, but here is my version:

The original fles are saved in /var/log/jail/tmp/scrub and can be downloaded from there (e.g. using WinSCP).

To send the original by E-mail again using scrub commands:

You can find the find the needed File ID here:

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
3 Replies
Peter_Baumann
Contributor

Hi Günther,
Thank you for this explanation, it is very useful.

It seems to work when you get the link to the User, when you click on the filename you will get the file.

But when I try to send the original mail to me when entering my e-mail address on the usercheck webpage:

Send the original mail to me: first.last@domain.com 

It will result in an empty e-mail:

220 i12.domain.com ESMTP Postfix
EHLO i17p.domain.com
250-i12.domain.com
250-PIPELINING
250-SIZE 60000000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: SIZE=283
RCPT TO: ORCPT=rfc822;first.last@domain.com
DATA
250 2.1.0 Ok
250 2.1.5 Ok
354 End data with .
Received: by i17p.domain.com (Postfix, from userid 0)
	id 45t8XP2XjRz5x0g; Tue, 23 Jul 2019 09:01:25 +0200 (CEST)
Message-Id: <45t8XP2XjRz5x0g@i17p.domain.com>
Date: Tue, 23 Jul 2019 09:01:25 +0200 (CEST)
From: admin@i17p.domain.com
.
QUIT
250 2.0.0 Ok: queued as 5AF7A1CC2D
221 2.0.0 Bye



Has anyone got this to work sending the original e-mail?

MrSalazar
Participant

Hi, 
i have the same problem.

I tried to send the original email :

#scrub send_orig_email {EMAIL_ID} all <--- or abc@company.com

The Original email was sent to abc@company.com

 

But the email still comes incomplete.

If anyone has a solution for this will be appreciated.

 

 

Peter_Baumann
Contributor

Hi all,
The problem seems to be fixed when yu upgrade the MTA according to this here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

This has been verified in the CP-lab.

Best regards,
Peter

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events