Potentially malicious content details

Symantec Messaging Gateway can detect potentially malicious content in several common email attachment types (Word, Excel, PowerPoint, PDF). Potentially malicious content container and content type details lists and describes each type of PMC, and explains the consequences of removing it from a container document.
Potentially malicious content container and content type details
Category
Description
Embedded files and attachments
Supported file types: Office 2003, Office 2007 and later, and PDF
Malware that is embedded in or attached to another file or document is more complex to detect than malware that is contained directly in an email message. Disarm lets you recursively reconstruct or remove embedded files and attachments not just from the message itself, but also from the message's attached documents. Each attached or embedded document is opened scanned for attached or embedded objects, up to the limit specified in the
SMTP Protocol Settings
page's
Container Limits
area. An attached or embedded file is reconstructed if its file type is supported. If not, it is removed. Some file types that are not commonly malicious (such as image files) are ignored rather than reconstructed or removed.
Consequences of removal:
Removing embedded or attached files can result in content loss. You can archive messages from which embedded files and attachments are removed so that you can recover the content later.
Attached documents sometimes contain icons used to open other documents embedded in them. If the embedded document types are disabled in the Disarm scan settings, then Disarm retains the icons and replaces the disabled document type's content with text that explains that the content has been intentionally removed. This text is displayed when the icons are clicked.
If you find that PDF attachments become unreadable, enable
Preprocess non-conforming PDFs
on the
Malware > Scan Settings > Disarm
tab. This feature identifies and attempts to repair the structure of PDF documents that do not conform to the published PDF standard. This preprocessing helps Disarm to reconstruct these PDFs properly after they are scanned.
Flash
Supported file types: Office 2003, Office 2007 and later, and PDF
Flash content (especially if the Flash Player is unpatched) is a common vehicle for malware, both on webpages and in documents.
Consequences of removal:
Flash content is removed from attachments and replaced by white rectangles with black borders.
Macros
Supported file types: Office 2003 and Office 2007 and later
Macros are used to provide added functionality in documents. They often execute when a document is opened, and are commonly exploited as a vehicle for malware.
Consequences of removal:
Loss of macro-based functionality, including custom add-ins, dialog boxes, and data extraction processes.
3D components
Supported file type: PDF
The PDF format supports the inclusion of 3D content using the Universal 3D file format. When you select this option, Disarm strips all 3D components.
Consequences of removal:
Loss of 3D preview-like functionality.
Fonts
Supported file type: PDF
Fonts that are embedded in PDF files can be used as a vehicle for malware. Disarm strips embedded fonts when this option is selected.
Consequences of removal:
Visual fidelity can be altered if no substitute font is available on the endpoint. Administrators may choose to distribute known safe replacement fonts to endpoints in their organizations to reduce visual fidelity issues in Disarmed attachments.
Trailer information
Supported file type: PDF
PDF files are comprised of a header, a body, a cross-reference table, and a trailer. The trailer contains information about the root object and the cross-reference table. Trailers can be used maliciously if other objects are added to them.
Consequences of removal:
None. There is no loss of functionality or fidelity.
JavaScript
Supported file type: PDF
JavaScript in PDFs is most often used to change the document's content in response to some event. For example, JavaScript can be used to hide part of the document before it is printed. It can also be used to pre-fill form fields when the document is opened. JavaScript is also used to restrict the actions of the Acrobat Reader (for example, to validate data that is entered in a PDF form's fields). It can also be used to introduce malicious code in documents.
Consequences of removal:
Loss of functionality that is provided by the JavaScript.
Launch
Supported file type: PDF
The Launch function is a PDF feature (enabled by default) that lets you launch executables from inside a PDF. Malware creators have exploited this feature for some time. The Launch function is disabled when you select this option.
Consequences of removal:
The PDF can no longer launch other processes or applications. Add-ins, templates, and tools that rely on launching other documents or processes will no longer work as expected.
XFA (and its Javascript)
Supported file type: PDF
XFA (XML Forms Architecture) is a group of proprietary XML specifications that are used to enhance the processing of web forms. When you select this option, Disarm removes both the XFA and the JavaScript associated with it.
Consequences of removal:
Loss of functionality that is provided by XFA. A form's visual layout is usually unaffected, but its interactive functionality may be lost.
Fullscreen
Supported file type: PDF
A PDF document's Fullscreen mode can be used maliciously to simulate a GUI or an Internet website to trick users into entering sensitive information. To prevent these exploits, Disarm blocks a PDF attachment's use of Fullscreen functionality.
Consequences of removal:
Loss of full-screen functionality for legitimate as well as potentially malicious purposes.