Check Point 'threat extraction' tech cleans booby-trapped email attachments

Security giant Check Point has started offering customers a new technology it claims will clean email attachments of malicious or booby-trapped content before they reach the inboxes of employees.

Dubbed 'Threat Extraction', the system is designed to close the email security hole that firewalls, IPS, URL filtering and anti-virus have consistently proved ineffective at stopping, such as apparently innocuous documents that silently call Javascript, launch macros or launch external programs.

It's become a massive problem as numerous disclosed attacks and breaches attest. In almost every one of them this simple tactic was central.

As Threat Extraction's name suggests, emailed documents are is run through the gateway to disable risk content, after which recipients receive a 'reconstructed' version with a notice telling them that some content was disabled.

Admins can also choose to leave the cleaned document format in its native format or automatically convert it to a PDF. If malicious content is detected inside a document, this fact is logged so that security teams can build a picture of any larger campaign targeting their organisation.

The whole system can also work in tandem with Check Point's Threat Emulation technology, a technique for running potential threats in a virtualised space to see what they do. However, unlike Threat Emulation, Check Point claims Threat Extraction delays documents by seconds rather than up to minutes.

"If an email arrives a couple of minutes later then that's not an issue if it's safer," commented Check Point product manager, Noam Green. "But [this] takes a second or two to reconstruct the document."

Both systems were options for Check Point's Blade architecture and could run on premise or as a service, he said.

Threat Extraction will be offered as part of a new Next Generation Threat Prevention package called NGTX from the beginning of April. Pricing it not yet available.

John E Dunn

Zur Startseite