Sanitization

The sanitization feature of Secure Email Gateway allows you to detect and remove potentially threatening content from communications. Sanitization can detect and remove active content, embedded content, URLs or hyperlinks, scripts or macros and document properties from communications. Sanitization also purges potential harmful content from documents, attachments and media types.

For example, you might want to ensure messages are delivered with macros removed, or that a document is displayed without the document properties revealing information such as the 'author' or 'owner'.

Sanitization is performed by the following content rules:

• Sanitize Active Content - removes active content, such as scripts and macros, from email attachments, before safely delivering or displaying.
• Sanitize Document Content - removes a selection of properties, revision history, comments and metadata from documents. It also sanitizes metadata from image format types JPEG, GIF, and PNG.
• Sanitize Message - removes potential threats, such as embedded and active content, URLs and hyperlinks from message subjects and bodies, and attachments from an email before safely delivering.

Tell me about...

• How sanitization works with Secure Email Gateway

  The Gateway performs sanitization using either a Sanitize Active Content, a Sanitize Document Content, or a Sanitize Message content rule. These content rules:

  • Scan for specified document properties, active content, embedded content, URLs, or hyperlinks.

  If a rule is triggered, the Gateway:

  • Attempts to sanitize the content appropriately and applies the What To Do? actions.

  Each content rule applies a different set of What To Do? actions for the following conditions:

  • On successful sanitization - for example, Perform no action (email) or Continue to the next rule (web).

    Successful sanitization occurs if the detected content can be sanitized. If Perform no action or Continue to the next rule is selected, the Gateway sanitizes the content and continues to the next rule in the policy route.

  • On unsuccessful sanitization - for example, Deliver the Message (email) or Block communication using the block page for the failure (web).

    Unsuccessful sanitization occurs if content has been detected but cannot be sanitized.

    For example, a digitally signed document can be scanned for active content, but cannot be opened and sanitized. The sanitization is considered 'unsuccessful' because the Gateway cannot edit the protected content.

• Document Properties

  Documents can contain hidden data that could be sensitive or might compromise your intellectual property. For example, a set of document properties might reveal user information or infrastructure information, such as printer information, included in the document. You can use a Sanitize Document Content content rule to remove these properties from documents before safely delivering them.

• Document Contents

  Document contents can include potentially sensitive metadata such as revision histories and comments. You can use a Sanitize Document Content content rule to remove this content from documents before safely delivering them.

• Active content

  Active content includes scripts, macros and code segments, either embedded within a document or hidden in a web page. You can use the Sanitize Active Content rule to remove active content from communications, ensuring information is shared safely and without disruption.

• Embedded content

  Embedded content includes files or programs that are embedded within a message, for example an image. You can use the Sanitize Message rule to remove embedded content from an email body, ensuring information is shared safely and without disruption.

• URLs

  URLs and hyperlinks in messages can often be potential threats, for example, phishing exploits. You can use the Sanitize Message content rule to scan for URLs and hyperlinks in the subject and/or body of a message. The Gateway can use lists of these URLs as a policy reference. See URL Lists for more information.

• Compatible media types

  The following media types are supported by Secure Email Gateway sanitization content rules.

  Media Type	Extensions	Sanitize Active Content	Sanitize Document Content	Sanitize Message
  HTML	.htm .html
  Rich Text Format	.rtf
  RTF-encoded html	.html
  Microsoft Excel spreadsheet (2007+)	.xlsx .xlsm .xltx
  Microsoft PowerPoint presentation (2007+)	.pptx .pptm .potx .ppsx .ppsm .thmx
  Microsoft Word Document (2007+)	.docx .docm .dotx .dotm
  LibreOffice Document Types	.ods .odg .odp .odm .odf .odt
  Adobe PDF	.pdf
  Metadata in GIF, JPEG, and PNG images	.gif .jpg .png

  Sanitization is not supported for Microsoft Office 97-2003 documents with the extensions .doc, .xls or .ppt. Content in these documents can be detected but sanitization is always unsuccessful.

• Encryption and protected documents

  There are a number of ways to restrict access and control of a particular document. For example, a Microsoft Word document could be read-only, password encrypted or stored in a password-restricted zip folder. The Gateway can sanitize documents that are accessible, even if they have been restricted from editing by the original user.

  Sanitization can be successful, even if:

  • The file is read-only
  • The document is 'marked as final'
  • The file is contained within nested zip folders

  Sanitization is automatically unsuccessful if:

  • The document is signed with a digital signature A digitally-signed message proves to the recipient that you, not an imposter, signed the contents of the message, and that the contents have not been altered in transit.

  Sanitization is not attempted if:

  • The document is encrypted or protected from opening by a password.
  • The document is contained within a password-restricted zip folder.
• Document Properties and Document Contents categories

  You can Sanitize Document Content in categories. For example, the following Document Properties and Document Categories can be sanitized from selected Media Types:

  Category	Description	Microsoft Office	Libre Office	Adobe PDF	GIF, JPEG, PNG
  Subject Matter	Document properties such as Title, Subject and Keywords	Categories, Comments, Status, Subject, Tags, Title	Comments, Keywords, Subject, Title	Keywords, Subject, Title	Title, Description, Keywords, Subject
  User Information	Properties identifying an individual, such as Author or Owner	Author, Company, Last modified by (user), Manager	Created (user), Last printed (user), Modified (user)	Author	Artist, Author, Company, Writer/Editor
  Infrastructure Information	Properties containing environmental information, including printer information	Template, printer information	Application, Producer, printer information	Application, Producer	Creator, Producer, Program Version
  Miscellaneous Information	Standard application properties that are not relevant to a specific category	Created (date), Last modified (date), Last printed (date), Revision number	Created (date), Last printed (date), Modified (date), Revision number, Total editing time	Created (date), Modified (date)	Creation Date, Copyright, Language, Unique ID
  Rogue Properties	Properties that are either malformed or found in an unexpected location	Various	Various	Various	Various
  Custom Properties	Properties created by the author using a facility within the authoring tool	Various	Various	Various	Various
  Location	GPS Location information added to a JPEG image by a device	-	-	-	Location information

  Custom properties must not contain commas "," or exclamation marks "!" as these characters are not supported and will not be correctly detected or sanitized.

How do I...

• Detect and block traffic containing active content?

  You can use a Detect Active Content rule to detect email or web traffic containing scripts, macros or active content in selected media types.

  1. Create a content rule using the Detect active content content rule template. Show me

     1. Navigate to Policy > Manage Policy Definition > Content Rules. The Manage Content Rules page is displayed.

     2. In the Content Rules panel, click New. The Add a Content Rule dialog is displayed.

     3. From the list of content rule templates, select Detect active content. An editing page for the new content rule is displayed.

     4. In the Overview panel, click Click here to change these settings. Edit the Name and Notes of the content rule as required, and click Save.

  2. Configure the What To Look For? conditions. Show me

     1. Change the What to Look For? conditions to select Which Media Types you want the Gateway to look for.

        You can select individual document types using the Detectable Types window to select which file types you want to detect.

        Select the Documents check box in the Detectable Types window to select all document formats.

     2. Select the Direction To Apply the content rule by clicking Click here to change these settings. You can specify whether the detected items are entering the company, leaving the company, or either entering or leaving the company. Click Save.

     3. Click Save.

  3. Configure the What To Do? actions. Show me

     1. Change the What to Do? actions of the content rule to determine what happens when the content rule detects active content. Click Click here to change these settings. Select a Disposal Action (email) or Primary Action (web).

        To find out more about configuring actions, see About What To Do? Actions

     2. Click Save.

  4. Apply Configuration.

     The content rule can now be applied to a policy route.

• Build a Sanitize Active Content rule?

  Use a Sanitize Active Content rule to detect and remove active content from email or web traffic.

  1. Create a content rule using the Sanitize Active Content content rule template. Show me

     1. Navigate to Policy > Manage Policy Definition > Content Rules. The Manage Content Rules page is displayed.

     2. In the Content Rules panel, click New. The Add a Content Rule dialog is displayed.

     3. From the list of content rule templates, select Sanitize Active Content. An editing page for the new content rule is displayed.

     4. In the Overview panel, click Click here to change these settings. Edit the Name and Notes of the content rule as required, and click Save.

  2. Configure the What to Look For? conditions. Show me

     1. Change the What to Look For? conditions to select Which Media Types you want the Gateway to look for.

        You can select individual document types using the Detectable Types window to select which file types you want to detect.

        Select the Documents check box in the Detectable Types window to select all document formats.

        The HTML and HTML with Script detectable types are unselected by default on a Web Gateway. If you are operating a Web Gateway which is peered with an Email Gateway, it is recommended that you ensure these check boxes remain unselected.

     2. Click Save.
  3. Configure the What To Do? actions if sanitization is successful. Show me

     1. Use the On Successful Sanitization section to select the appropriate Disposal Action (email) or Primary Action (web).

        You can Tag the Message Subject as an action for this content rule if you want the message subject line to inform recipients that active content has been removed. To find out more about the Tag the Message Subject action, see What To Do? Actions.

     2. Click Save.

     3. Add any What Else To Do? actions by clicking New.

        To find out more about configuring actions, see About What To Do? Actions

     4. Click Save.

  4. Configure the What To Do? actions if sanitization is unsuccessful. Show me

     1. Use the On Unsuccessful Sanitization section to select the appropriate Disposal Action (email) or Primary Action (web).

     2. Click Save.

     3. Add any What Else To Do? actions by clicking New.
        

        To find out more about configuring actions, see About What To Do? Actions

     4. Click Save.

  5. Apply Configuration.

     The content rule can now be applied to a policy route.

• Build a Sanitize Document Content rule?

  1. Create a content rule using the Sanitize Document Content content rule template. Show me

     1. Navigate to Policy > Manage Policy Definition > Content Rules. The Manage Content Rules page is displayed.

     2. In the Content Rules panel, click New. The Add a Content Rule dialog is displayed.

     3. From the list of content rule templates, select Sanitize Document Content. An editing page for the new content rule is displayed.

     4. In the Overview panel, click Click here to change these settings. Edit the Name and Notes of the content rule as required, and click Save.

  2. Configure the What To Look For? conditions to find selected Media Types. Show me

     1. Select Which Media Types you want the Gateway to look for. Click Click here to change these settings.

        You can select individual document types using the Detectable Types window to select which file types you want to detect.

        Select the Documents check box in the Detectable Types window to select all document formats.

     2. Click Save.
  3. Configure the What To Look For? conditions to search document property categories. Show me

     1. Select which document property categories you want the Gateway to look for. In the And Contains Any of the Following section click Click here to change these settings and select categories using the check boxes.

        You can also exclude any custom document properties you might have defined. Select Exclude the following custom properties and enter comma separated values.

     2. Click Save.
  4. Configure the What To Do? actions if sanitization is successful. Show me

     1. Use the On Successful Sanitization section to select the appropriate Disposal Action (email) or Primary Action (web).

        You can Tag the Message Subject as an action for this content rule if you want the message subject line to inform recipients of changes to message attachments. To find out more about the Tag the Message Subject action, see What To Do? Actions.

     2. Click Save.

     3. Add any What Else To Do? actions by clicking New.

     4. Click Save.

  5. Configure the What To Do? actions if sanitization is unsuccessful. Show me

     1. Use the On Unsuccessful Sanitization section to select the appropriate Disposal Action (email) or Primary Action (web).

     2. Click Save.

     3. Add any What Else To Do? actions by clicking New.
        

        To find out more about configuring actions, see About What To Do? Actions

     4. Click Save.

  6. Apply Configuration.

     The content rule can now be applied to a policy route.

• Build a Sanitize Message rule?

  You can configure the Gateway to detect potentially threatening content, such as embedded and active content, URLs, hyperlinks, and attachments in message subjects or bodies. You can detect and remove this content using a Sanitize Message content rule.

  1. Create a content rule using the Sanitize Message content rule template. Show me

     1. Navigate to Policy > Manage Policy Definition > Content Rules. The Manage Content Rules page is displayed.

     2. In the Content Rules panel, click New. The Add a Content Rule dialog is displayed.

     3. From the list of content rule templates, select Sanitize Message. An editing page for the new content rule is displayed.

     4. In the Overview panel, click Click here to change these settings. Edit the Name and Notes of the content rule as required, and click Save.

  2. Configure the What To Look For? conditions. Show me

     1. Select Which Message Types you want the Gateway to look for:

        • All messages: The Gateway searches all messages for potential threats.
        • Selected messages: The Gateway looks only for the selected type(s) of suspicious messages.

     2. Select the Mode of detection you want to apply:

        • Detect only: Detects and reports potential threats, according to the What to Do? Disposal Action, but performs no additional sanitization action.
        • Detect and Sanitize: Detects potential threats and performs the configured sanitization action.

     3. Configure the Gateway to process HTML and RTF Email Bodies using the check boxes:

        • Convert message to plain text: This option converts any HTML or rich text message bodies to plain text before applying the What to do? action.

          In the case of an email which contains both plain text and rich text bodies, the Gateway removes the rich text body. In the case in which the email only has a rich text body, the Gateway converts the rich text to a plain text body.

          If instead, you want to process rich text message bodies as well as plain text, you can further specify the type of content to search for within rich text bodies:

          • Embedded content (e.g. images, other data)
          • Active content (e.g. scripts)
          • Links to resources (e.g. links to images, stylesheets)

          These options do not apply to plain text. They are not selectable if you are converting rich text email bodies to plain text.

     4. Configure the Gateway to process URLs and Hyperlinks using the Detect or remove URLs and hyperlinks in: Message subjects and/or Message bodies.

        This option configures how the Gateway scans for (and sanitizes) URLs and hyperlinks that might pose a threat. URLs are stored in URL Lists. You can:

        • Detect or remove All URLs and hyperlinks - this detects or sanitizes every URL or hyperlink encountered by the content rule.
        • Re-write URLs using the format - specify a URL that directs you to your external web protection software, using tokens to pass the URL to scan URLs clicked in messages. See URLs and Hyperlinks in the list of What to Look for? clauses for more information on how to use the tokens.
        • Detect or remove Only the URLs defined in the selected lists - this detects or sanitizes URLs contained in the specified URL Lists. This acts as a 'block list' of harmful URLs.
        • Add exceptions to your block-listed URLs by selecting Except the URLs defined in the selected lists. This acts as an 'allow list' for trusted URLs. The exception list always takes priority over the block list'.

        To find out more about how to create and modify URL Lists, see URL Lists.

     5. In the Attachments section, click Remove attachments if required. This option removes attachments from detected messages. You can only select this option in Detect and Sanitize mode.

        If you select Remove attachments on All messages, every attachment will be removed by the content rule.

  3. Configure the What To Do? actions if sanitization is successful. Show me

     1. Use the On Successful Sanitization section to select the appropriate Disposal Action.

     2. Click Save.

     3. Add any What Else To Do? actions by clicking New.

        You can Tag the Message Subject as an action for this content rule if you want the message subject line to inform recipients of changes to the message such as links removed or attachments stripped. To find out more about the Tag the Message Subject action, see What To Do? Actions.

     4. Click Save.

  4. Configure the What To Do? actions if sanitization is unsuccessful. Show me

     1. Use the On Unsuccessful Sanitization section to select the appropriate Disposal Action (email) or Primary Action (web).

     2. Click Save.

     3. Add any What Else To Do? actions by clicking New.
        

        To find out more about configuring actions, see About What To Do? Actions

     4. Click Save.

  5. Apply Configuration.

     The content rule can now be applied to a policy route.

• Bypass sanitization for signed documents?

  You can configure the Gateway to bypass either the Sanitize Active Content or Sanitize Document Content rule when a signed document is encountered.

  Configure the relevant content rule and add the Bypass Rule What to Look For? clause by selecting the Bypass Rule for signed documents check box.

  Bypass Rule only affects signed documents. The Gateway will continue to apply unsuccessful sanitization to signed messages, even when this check box is selected.

• Disable the macros (XLM) in Excel?

  XLM, for Excel Macro, is a type of spreadsheet file that is used to store macros and can be used to hide malware that is notoriously difficult to detect, thus creating a security risk. However, due to the nature of these macros, they can trigger a lot of false positives. Within Clearswift Gateway the detection of these XLM macros is automatically enabled for all customers from 5.1 onwards.

  Use the following procedure to disable the detection of the XLM macros within the Gateway.

  Keep a copy of the original template file(s) so you can copy them back if you decide to revert the change.

  The extra configuration must be added to both the CDA and ZIP format managers. Otherwise the behaviour for CDA and OPC documents will be inconsistent.

  For non-Japanese installations:

  1. Log into the Gateway using a cockpit terminal session.

  2. Open the file: /opt/cs-gateway/bin/template.xml

  3. Add the highlighted line to the CDA format manager.

  <Key name="CDA Files" default="Compound Document">
  <PropertyList duplicates="true">
  <Property name="PolicyList" type="string" value="" />
  <Property name="MaxNumStreams" type="int" value="1000"/>
  <Property name="MinAsciiLength" type="int" value="3" />
  <Property name="MinUnicodeLength" type="int" value="3" />
  <Property name="SetProcessingOf" type="string" value="{11943940-36DE-11CF-953E-00C0A84029E9},Disabled" />
  <Property name="DetectXLMMacros" type="bool" value="false"/>
  </PropertyList>
  </Key>

  4. Add the highlighted line to the ZIP format manager.

  <Key name="ZIP Files" default="ZIP Archive">
  <PropertyList duplicates="true">
  <Property name="PolicyList" type="string" value="" />
  <Property name="ReplacementImageFile" type="string" value="/opt/clearswift/engine/data/opcdfc/redact.emf"/>
  <Property name="DetectXLMMacros" type="bool" value="false"/>
  </PropertyList>
  </Key>

  5. After modifying the template.xml file, apply the policy for the changes to be saved.

  To reverse the change simply remove the DetectXLMMacros properties and save the policy. See the warning note below.

  For Japanese installations:

  1. Edit the file: /opt/cs-gateway/bin/template_ja_jp.xml and make the same changes as above, but note that the “ZIP Archive” section is different.

  <Key name="ZIP Files" default="ZIP Archive">
  <PropertyList duplicates="true">
  <Property name="PolicyList" type="string" value="" />
  <Property name="CharacterSet" type="string" value="Shift-JIS" />
  <Property name="ReplacementImageFile" type="string" value="/opt/clearswift/engine/data/opcdfc/redact.emf"/>
  <Property name="DetectXLMMacros" type="bool" value="false"/>
  </PropertyList>
  </Key>

  Important: If you upgrade the Gateway at any point, these changes will be lost, and will need to be re-applied. In this instance, you must not copy back the template files from the pre-upgraded system as the templates may have been updated!

Show me...

• Example 1. Sanitize user information from documents

  I want to remove user information (Author, company name, revision history) from any Microsoft documents attached to messages leaving my organization.

  1. Create a Sanitize Document Content Content rule and configure the What To Look For? actions to scan for Microsoft Word, Excel and PowerPoint files.

  2. Configure the Document Properties section to look for User information and the Document Contents section to look for Previous revision history:

     

  3. Configure the What To Do? actions to ensure the message continues through the Gateway if sanitization is successful.

     In this scenario, you might want to use the following configuration of What To Do? and What Else To Do? actions:

     On Successful Sanitization	On Unsuccessful Sanitization
     Perform no action	Hold in...
     No additional actions	Generate an inform (to administrator)

  4. Apply the content rule to a policy route from My Company to Anyone.

     See About Policy Routes for more information.

• Example 2. Sanitize location metadata from a JPEG, GIF, or PNG image

  I want the Gateway to remove GPS location information from any JPEG, GIF, or PNG leaving my organization.

  1. Create a Sanitize Document Content rule and configure the What To Look For? actions. Configure Which Media Types to scan for:

     • Image Types > GIF - Graphics Interchange Format, JPEG - JPEG image, or PNG - Portable Network Graphic File
     • Document Properties > Location information

  2. Configure the What To Do? actions to allow the connection if sanitization has been successful.

     In this scenario, I might want to use the following configuration of What to Do? and What Else to Do? actions:

     On Successful Sanitization	On Unsuccessful Sanitization
     Deliver the message	Hold in message area...
     Perform no action	Perform no action

  3. Apply the content rule to a policy route from Everyone to Everywhere.

     See About Policy Routes for more information.

• Example 3. Sanitize phishing hyperlinks from all incoming messages so they can be safely delivered

  I want to detect any messages that contain known or suspicious URLs. I want to remove the links from the message and deliver it safely to the recipient.

  1. Create a message area to hold messages containing hyperlinks that cannot be removed. Message areas are created automatically when you define Disposal Actions as part of your content security policy. See Disposal Actions for more information.
  2. Create a Sanitize Message content rule and configure the What To Look For? clauses to scan for All messages.
  3. Select the Mode: Detect and Sanitize.
  4. In the URLs and Hyperlinks section, choose to enable detection or removal of URLs and hyperlinks from Message subjects and/or Message bodies.

  5. Select Only the URLs defined in the selected lists. You need to select the URL Lists that you want to apply. In this scenario those URL Lists are the Sophos and Mailshell Real-time Malicious URL Lists and your Custom URL List.

     If you want to supplement the Sophos and Mailshell Real-time Malicious URL Lists with your own URLs, create a Custom URL List and add your own URLs. For more information on creating and configuring URL Lists, see URL Lists.

  6. Check your configuration is correct and click Save.

  7. Configure the What To Do? actions to ensure the message continues through the Gateway if sanitization is successful.

     In this scenario, you might want to use the following configuration of What to do? and What else to do? actions:

     On Successful Sanitization	On Unsuccessful Sanitization
     Perform no action	Hold in... the message area you defined in step 1.
     Tag The Message Subject for the recipient to receive information in the subject line of the message notifying them that URLs were removed from the message.	Generate An Inform to an administrator.

  8. Apply the content rule to a policy route.

     See About Policy Routes for more information.

  Detected messages containing a phishing hyperlink will be sanitized and delivered to the recipient, with the subject line notifying the recipient of changes to the message, if the sanitization action is successful. For example, if a message subject or body contains a link to http://www.phishingforpasswords.com, the message will be delivered with the link redacted: ****://***.********************.***

  If sanitization is unsuccessful (for example, due to an unmodifiable message) the message will be held in a message area and an administrator will receive an inform.

• Example 4. Sanitize potentially harmful spam emails so they can be safely placed in a PMM message area

  I want to detect any spam messages that contain potentially harmful content. I want to remove the harmful content from the message, before holding the sanitized message in a message area for users to release via PMM.

  1. Create a Sanitize Message content rule and configure the What To Look For? clauses to scan for the following Selected messages:

     • Confirmed Spam
     • Suspected Spam
  2. Select the Mode: Detect and Sanitize.
  3. In the HTML and RTF Email Bodies section, select Convert message to plain text.
  4. In the URLs and Hyperlinks section, choose to enable detection or removal of URLs and hyperlinks from Message subjects and/or Message bodies, and select All URLs and hyperlinks.

  5. In the Attachments section, enable Remove attachments.

  6. Check your configuration is correct and click Save.

  7. Configure the What To Do? actions to ensure the message continues through the Gateway if sanitization is successful.

     In this scenario, you might want to use the following configuration of What to do? and What else to do? actions:

     On Successful Sanitization	On Unsuccessful Sanitization
     Hold in... a PMM-managed message area	Hold in... the message area.
     Tag The Message Subject for the recipient to receive information in the subject line of the message notifying them that potentially harmful content, such as URLs and attachments, was removed from the message.	Generate An Inform to an administrator.

     The message areas contain both the original and sanitized version of the message. When the intended recipient releases a message via PMM, it is the sanitized version that gets released. When the Gateway Administrator releases a message from a message area, they have the choice of releasing either the sanitized or original version of the message.

  8. Apply the content rule to a policy route.

     See About Policy Routes for more information.

  Detected messages containing potentially harmful content will be sanitized and held in a PMM-managed message area for the recipient to release if the sanitization action is successful. The message subject line will notify the recipient of changes to the message.

  If sanitization is unsuccessful (for example, due to an unmodifiable message) the message will be held in a message area and an administrator will receive an Inform.

See also...

• Adaptive redaction
• Content rules
• Policy Routes
• Policy References