Potentially malicious content details
Symantec Messaging Gateway can detect potentially malicious content in several common email attachment types (Word, Excel, PowerPoint, PDF). Potentially malicious content container and content type details lists and describes each type of PMC, and explains the consequences of removing it from a container document.
Category | Description |
|---|---|
Embedded files and attachments Supported file types: Office 2003, Office 2007 and later, and PDF | Malware that is embedded in or attached to another file or document is more complex to detect than malware that is contained directly in an email message. Disarm lets you recursively reconstruct or remove embedded files and attachments not just from the message itself, but also from the message's attached documents. Each attached or embedded document is opened scanned for attached or embedded objects, up to the limit specified in the SMTP Protocol Settings page's Container Limits area. An attached or embedded file is reconstructed if its file type is supported. If not, it is removed. Some file types that are not commonly malicious (such as image files) are ignored rather than reconstructed or removed.Consequences of removal: Removing embedded or attached files can result in content loss. You can archive messages from which embedded files and attachments are removed so that you can recover the content later. Attached documents sometimes contain icons used to open other documents embedded in them. If the embedded document types are disabled in the Disarm scan settings, then Disarm retains the icons and replaces the disabled document type's content with text that explains that the content has been intentionally removed. This text is displayed when the icons are clicked. If you find that PDF attachments become unreadable, enable Preprocess non-conforming PDFs on the Malware > Scan Settings > Disarm tab. This feature identifies and attempts to repair the structure of PDF documents that do not conform to the published PDF standard. This preprocessing helps Disarm to reconstruct these PDFs properly after they are scanned. |
Flash Supported file types: Office 2003, Office 2007 and later, and PDF | Flash content (especially if the Flash Player is unpatched) is a common vehicle for malware, both on webpages and in documents. Consequences of removal: Flash content is removed from attachments and replaced by white rectangles with black borders. |
Macros Supported file types: Office 2003 and Office 2007 and later | Macros are used to provide added functionality in documents. They often execute when a document is opened, and are commonly exploited as a vehicle for malware. Consequences of removal: Loss of macro-based functionality, including custom add-ins, dialog boxes, and data extraction processes. |
3D components Supported file type: PDF | The PDF format supports the inclusion of 3D content using the Universal 3D file format. When you select this option, Disarm strips all 3D components. Consequences of removal: Loss of 3D preview-like functionality. |
Fonts Supported file type: PDF | Fonts that are embedded in PDF files can be used as a vehicle for malware. Disarm strips embedded fonts when this option is selected. Consequences of removal: Visual fidelity can be altered if no substitute font is available on the endpoint. Administrators may choose to distribute known safe replacement fonts to endpoints in their organizations to reduce visual fidelity issues in Disarmed attachments. |
Trailer information Supported file type: PDF | PDF files are comprised of a header, a body, a cross-reference table, and a trailer. The trailer contains information about the root object and the cross-reference table. Trailers can be used maliciously if other objects are added to them. Consequences of removal: None. There is no loss of functionality or fidelity. |
JavaScript Supported file type: PDF | JavaScript in PDFs is most often used to change the document's content in response to some event. For example, JavaScript can be used to hide part of the document before it is printed. It can also be used to pre-fill form fields when the document is opened. JavaScript is also used
to restrict the actions of the Acrobat Reader (for example, to validate data that is entered in a PDF form's fields).
It can also be used to introduce malicious code in documents. Consequences of removal: Loss of functionality that is provided by the JavaScript. |
Launch Supported file type: PDF | The Launch function is a PDF feature (enabled by default) that lets you launch executables from inside a PDF. Malware creators have exploited this feature for some time. The Launch function is disabled when you select this option. Consequences of removal: The PDF can no longer launch other processes or applications. Add-ins, templates, and tools that rely on launching other documents or processes will no longer work as expected. |
XFA (and its Javascript) Supported file type: PDF | XFA (XML Forms Architecture) is a group of proprietary XML specifications that are used to enhance the processing of web forms. When you select this option, Disarm removes both the XFA and the JavaScript associated with it. Consequences of removal: Loss of functionality that is provided by XFA. A form's visual layout is usually unaffected, but its interactive functionality may be lost. |
Fullscreen Supported file type: PDF | A PDF document's Fullscreen mode can be used maliciously to simulate a GUI or an Internet website to trick users into entering sensitive information. To prevent these exploits, Disarm blocks a PDF attachment's use of Fullscreen functionality. Consequences of removal: Loss of full-screen functionality for legitimate as well as potentially malicious purposes. |