Sanitization

The sanitization feature of Clearswift ARgon for Email allows you to detect and remove active content, document properties and other potentially threatening content from communications. For example, you might want to ensure messages are delivered with macros removed, or that a document is displayed without the document properties revealing information such as the 'author' or 'owner'.

The starter policy includes a number of default rules, which apply sanitization to inbound and outbound routes. See the Starter Policy topic for more information about the policy that was automatically installed with Clearswift ARgon for Email.

Sanitization is performed by the following content rules:

Sanitize Active Content - removes active content, such as scripts and macros, from email attachments, before safely delivering or displaying.
Sanitize Document Content - removes a selection of properties, revision history, comments and metadata from documents. It also sanitizes metadata from image format types JPEG, GIF, and PNG.

Tell me about...

How sanitization works with Clearswift ARgon for Email
The ARgon Server performs sanitization using either a Sanitize Active Content, a Sanitize Document Content, or a Sanitize Message content rule. These content rules:
- Scan for specified document properties, active content, embedded content, URLs, or hyperlinks.
If a rule is triggered, the ARgon Server:
- Attempts to sanitize the content appropriately and applies the What To Do? actions.
Each content rule applies a different set of What To Do? actions for the following conditions:
- On successful sanitization - for example, Continue to the next rule.
  
  Successful sanitization occurs if the detected content can be sanitized. If Continue to the next rule is selected, the ARgon Server sanitizes the content and continues to the next rule in the policy route.
- On unsuccessful sanitization - for example, Block communication using the block page for the failure.
  
  Unsuccessful sanitization occurs if content has been detected but cannot be sanitized.
  
  For example, a digitally signed document can be scanned for active content, but cannot be opened and sanitized. The sanitization is considered 'unsuccessful' because the ARgon Server cannot edit the protected content.
Document Properties

Documents can contain hidden data that could be sensitive or might compromise your intellectual property. For example, a set of document properties might reveal user information or infrastructure information, such as printer information, included in the document. You can use a Sanitize Document Content content rule to remove these properties from documents before safely delivering them.
Document Contents

Document contents can include potentially sensitive metadata such as revision histories and comments. You can use a Sanitize Document Content content rule to remove this content from documents before safely delivering them.
Active content

Active content includes scripts, macros and code segments, either embedded within a document or hidden in a web page. You can use the Sanitize Active Content rule to remove active content from communications, ensuring information is shared safely and without disruption.

Compatible media types

The following media types are supported by Clearswift ARgon for Email sanitization content rules.

Media Type	Extensions	Sanitize Active Content	Sanitize Document Content	Sanitize Message
HTML	.htm .html
Rich Text Format	.rtf
RTF-encoded html	.html
Microsoft Excel spreadsheet (2007+)	.xlsx .xlsm .xltx
Microsoft PowerPoint presentation (2007+)	.pptx .pptm .potx .ppsx .ppsm .thmx
Microsoft Word Document (2007+)	.docx .docm .dotx .dotm
LibreOffice Document Types	.ods .odg .odp .odm .odf .odt
Adobe PDF	.pdf
Metadata in GIF, JPEG, and PNG images	.gif .jpg .png

Sanitization is not supported for Microsoft Office 97-2003 documents with the extensions .doc, .xls or .ppt. Content in these documents can be detected but sanitization is always unsuccessful.

Document Properties and Document Contents categories

You can Sanitize Document Content in categories. For example, the following Document Properties and Document Categories can be sanitized from selected Media Types:

Category	Description	Microsoft Office	Libre Office	Adobe PDF	GIF, JPEG, PNG
Subject Matter	Document properties such as Title, Subject and Keywords	Categories, Comments, Status, Subject, Tags, Title	Comments, Keywords, Subject, Title	Keywords, Subject, Title	Title, Description, Keywords, Subject
User Information	Properties identifying an individual, such as Author or Owner	Author, Company, Last modified by (user), Manager	Created (user), Last printed (user), Modified (user)	Author	Artist, Author, Company, Writer/Editor
Infrastructure Information	Properties containing environmental information, including printer information	Template, printer information	Application, Producer, printer information	Application, Producer	Creator, Producer, Program Version
Miscellaneous Information	Standard application properties that are not relevant to a specific category	Created (date), Last modified (date), Last printed (date), Revision number	Created (date), Last printed (date), Modified (date), Revision number, Total editing time	Created (date), Modified (date)	Creation Date, Copyright, Language, Unique ID
Rogue Properties	Properties that are either malformed or found in an unexpected location	Various	Various	Various	Various
Custom Properties	Properties created by the author using a facility within the authoring tool	Various	Various	Various	Various
Location	GPS Location information added to a JPEG image by a device	-	-	-	Location information

Custom properties must not contain commas "," or exclamation marks "!" as these characters are not supported and will not be correctly detected or sanitized.

How do I...

Detect and block traffic containing active content?

You can use a Detect Active Content rule to detect web traffic containing scripts, macros or active content in selected media types.

Create a content rule using the Detect Active Content content rule template. Show me
1. From the Policy Center Home page click Content Rules to display the Manage Content Rules page.
2. Click New.
3. Select Detect active content from the list of content rule templates.
4. Change the Overview details (the Name of the content rule and any relevant Notes) by clicking Click here to change these settings.
5. Click Save.

Apply Configuration.

The content rule can now be applied to a policy route.

Build a Sanitize Active Content rule?

Use a Sanitize Active Content rule to detect and remove active content from web traffic.

Create a content rule using the Sanitize Active Content content rule template. Show me
1. From the Policy Center Home page click Content Rules to display the Manage Content Rules page.
2. Click New.
3. Select Sanitize Active Content from the list of content rule templates.
4. If required, change the Overview details (the Name of the content rule and any relevant Notes) by clicking Click here to change these settings.
5. Click Save.

Configure the What To Do? actions if sanitization is successful.

Show me

Use the On Successful Sanitization section to select the appropriate Primary Action .

You can Tag the Message Subject as an action for this content rule if you want the message subject line to inform recipients that active content has been removed. To find out more about the Tag the Message Subject action, see What To Do? Actions.

Click Save.

Add any What Else To Do? actions by clicking New.

To find out more about configuring actions, see About What To Do? Actions

Click Save.

Apply Configuration.

The content rule can now be applied to a policy route.

Build a Sanitize Document Content rule?

Create a content rule using the Sanitize Document Content content rule template. Show me
1. From the Policy Center Home page click Content Rules to display the Manage Content Rules page.
2. Click New.
3. Select Sanitize Document Content from the list of content rule templates.
4. If required, change the Overview details (the Name of the content rule and any relevant Notes) by clicking Click here to change these settings.
5. Click Save.

Apply Configuration.

The content rule can now be applied to a policy route.

Disable the macros (XLM) in Excel?

XLM, for Excel Macro, is a type of spreadsheet file that is used to store macros and can be used to hide malware that is notoriously difficult to detect, thus creating a security risk. However, due to the nature of these macros, they can trigger a lot of false positives. Within Clearswift ARgon Server the detection of these XLM macros is automatically enabled for all customers from 5.1 onwards.

Use the following procedure to disable the detection of the XLM macros within the ARgon Server.

Keep a copy of the original template file(s) so you can copy them back if you decide to revert the change.

The extra configuration must be added to both the CDA and ZIP format managers. Otherwise the behaviour for CDA and OPC documents will be inconsistent.

For non-Japanese installations:

Log into the ARgon Server using a cockpit terminal session.
Open the file: /opt/cs-gateway/bin/template.xml
Add the highlighted line to the CDA format manager.

<Key name="CDA Files" default="Compound Document"><PropertyList duplicates="true">
<Property name="PolicyList" type="string" value="" />
<Property name="MaxNumStreams" type="int" value="1000"/>
<Property name="MinAsciiLength" type="int" value="3" />
<Property name="MinUnicodeLength" type="int" value="3" />
<Property name="SetProcessingOf" type="string" value="{11943940-36DE-11CF-953E-00C0A84029E9},Disabled" />
<Property name="DetectXLMMacros" type="bool" value="false"/>
</PropertyList>
</Key>

Add the highlighted line to the ZIP format manager.

<Key name="ZIP Files" default="ZIP Archive"><PropertyList duplicates="true">
<Property name="PolicyList" type="string" value="" />
<Property name="ReplacementImageFile" type="string" value="/opt/clearswift/engine/data/opcdfc/redact.emf"/>
<Property name="DetectXLMMacros" type="bool" value="false"/>
</PropertyList>
</Key>

After modifying the template.xml file, apply the policy for the changes to be saved.

To reverse the change simply remove the DetectXLMMacros properties and save the policy. See the warning note below.

For Japanese installations:

Edit the file: /opt/cs-gateway/bin/template_ja_jp.xml and make the same changes as above, but note that the “ZIP Archive” section is different.

<Key name="ZIP Files" default="ZIP Archive"><PropertyList duplicates="true">
<Property name="PolicyList" type="string" value="" />
<Property name="CharacterSet" type="string" value="Shift-JIS" />
<Property name="ReplacementImageFile" type="string" value="/opt/clearswift/engine/data/opcdfc/redact.emf"/>
<Property name="DetectXLMMacros" type="bool" value="false"/>
</PropertyList>
</Key>

To reverse the change simply remove the “DetectXLMMacros” properties and save the policy. See the warning note below.

Important: If you upgrade the ARgon Server at any point, these changes will be lost, and will need to be re-applied. In this instance, you must not copy back the template files from the pre-upgraded system as the templates may have been updated!

Show me...

Example 1. Sanitize user information from documents

I want to remove user information (Author, company name, revision history) from any Microsoft documents attached to messages leaving my organization.

Create a Sanitize Document Content Content rule and configure the What To Look For? actions to scan for Microsoft Word, Excel and PowerPoint files.
Configure the Document Properties section to look for User information and the Document Contents section to look for Previous revision history:

Configure the What To Do? actions to ensure the message continues through the ARgon Server if sanitization is successful.

In this scenario, you might want to use the following configuration of What To Do? and What Else To Do? actions:

On Successful Sanitization	On Unsuccessful Sanitization
Perform no action	Hold in...
No additional actions	Generate an inform (to administrator)

Apply the content rule to a policy route from My Company to Anyone.

See About Policy Routes for more information.

Example 2. Sanitize location metadata from a JPEG, GIF, or PNG image

I want the ARgon Server to remove GPS location information from any JPEG, GIF, or PNG leaving my organization.

Create a Sanitize Document Content rule and configure the What To Look For? actions. Configure Which Media Types to scan for:
- Image Types > GIF - Graphics Interchange Format, JPEG - JPEG image, or PNG - Portable Network Graphic File
- Document Properties > Location information

Configure the What To Do? actions to allow the connection if sanitization has been successful.

In this scenario, I might want to use the following configuration of What to Do? and What Else to Do? actions:

On Successful Sanitization	On Unsuccessful Sanitization
Deliver the message	Hold in message area...
Perform no action	Perform no action

Apply the content rule to a policy route from Everyone to Everywhere.

See About Policy Routes for more information.

Sanitization

Tell me about...

How do I...

For non-Japanese installations:

For Japanese installations:

Show me...

See also...