Create a Post
Showing results for 
Search instead for 
Did you mean: 

Using CP Infinity Portal How does one find out what was extracted or triggered threat extraction?

I have a user that received a file that in the logs shows it had triggered TEX.

Using the panel on the right side of Infinity portal shows it has threat of Low, confidence High but

it offers no detail as to what the threat was. I don't find this of much value.

'Yah, there was a threat. We got rid of it.'

It would be nice to know what the threat

was so that our user could inform the sender they may themselves be infected with

malware. For businesses with close personal relationships and daily transactions with

one another this sort of thing is very important.


I see no way to drill down into the

threat for additional detail and the details provided offer nothing more than technical

mumbo jumbo about resource URL's, file hashes byte size and a vague Description.


I guess that makes this a request for additional functionality. Something

like Adware/TrackingPixel or EmbeddedWebLink/Graphic would be helpful in

understanding the nature of what was removed during TEX.


1 Reply

Every supported file type will invoke Threat Extraction whether or not it’s actually malicious.
Documents are reconstructed in a way that potentially malicious content won’t be there (for example, VB Macros will be removed).
Or the document will be converted to PDF, if that’s how you configure the policy.
The precise details of how Threat Extraction does this are not documented anywhere and there is no logging provided about what was done.

If you want to know if a document is actually malicious or not (and how), use Threat Emulation.
In fact, that’s how Threat Extraction is intended to be used (with Threat Emulation).
Threat Emulation reports provide details about how the document was malicious (if it was).

Hope that helps.

0 Kudos