Preventing Unknown Threats

In this section, we describe in detail, how threats are being prevented, and what hidden objects are being removed during sanitization. For each file type, it is customizable via configuration file, which objects to remove. For example, you can configure to remove macro while keeping hyperlinks. We have only documented a subset of popular threats that sanitization can prevent.

file type

(supported) potential threats

configuration

sample

CVE examples

doc

  • OLE Objects

    • Crafted Embedded Multimedia

  • Macros

  • Embedded Objects

    • Script enabled ActiveX Controls

  • Crafted Images

  • Hyperlink

  • Chart

[X2X]
remove_macro=1
remove_embedded_object=1
remove_hyperlink=1
process_image=1
  • remove_macro will remove javascript and document open action

  • remove_embedded_object will remove all embedded objects in file

    • include: attachments, embedded files, activeX, ole object ...

Replace the X above with doc, xls or ppt

  • ActiveX control

    • CVE-2012-0158

  • Crafted Images

    • CVE-2013-1331

    • CVE-2015-2545

  • Embedded Objects

    • CVE-2015-0097

    • CVE-2016-7264

xls

 

ppt

  • Crafted Images

    • CVE-2006-0009

    • CVE-2014-4114

rtf

  • Embedded object

  • Embedded html

No configuration

  • CVE-2012-0158

  • CVE-2014-1761

  • CVE-2015-1641

  • CVE-2015-2424

docx

  • Macro

  • Embedded objects

    • OLE Objects

    • attachment

    • embedded binary file

    • script enabled ActiveX Controls

  • Chart (not support for xlsx)

  • Crafted Images

  • Hyperlink

  • Timing node (pptx only)

[X2X]
remove_macro=1
remove_embedded_object=1
remove_hyperlink=1
process_image=1
remove_metadata=0
  • remove_macro will remove javascript and document open action

  • remove_embedded_object will remove all embedded objects in file included: attachments, embedded files, ...

  • remove_metadata will remove privacy information (creator, lastModifiedBy) from MS Office file

Replace the X above with docx, dotx, xlsx, xlsb or pptx

  • Crafted Images

    • CVE-2013-3906

  • Hyperlink

    • CVE-2015-1641

  • Embedded Objects

    • CVE-2015-2545

dotx

xlsx

  • Embedded Objects

    • CVE-2015-2545

xlsb

pptx

  • Crafted Images

    • CVE-2014-4114

htm/html

  • Scripts

  • Forms

  • Frames

  • Comments

  • Images

  • Embedded Objects

  • Embedded Java applets

  • Href

[html2html]
remove_script=1
remove_object=1
remove_applet=1
remove_form=1
remove_comment=1
remove_iframe=1
process_tags=2
  • process_tags has value: 0|1|2
    ;0: do nothing
    ;1: Ex1: Please click <a href="<script>....</script>">here</a> => Please click here ;
    Ex2: Please click <a href="https://www.opswat.com">https://www.opswat.com</a> => Please click https://www.opswat.com ;
    Ex3: Please click <a href="https://www.opswat.com">here</a> => Please click here (https://www.opswat.com)
    ;2: remove "href" attribute

  • Comments

    • CVE-2013-2551

  • Scripts

    • CVE-2006-1359

    • CVE-2014-6332

    • CVE-2015-0816

    • CVE-2015-2419

    • CVE-2016-0189

    • CVE-2016-9079

pdf

  • Hyperlink

  • Actions/Java Script

  • Annotation

  • Attachments

  • Forms/Fields

  • Multimedia Objects

  • Images

  • Embedded font

[pdf2pdf]
remove_macro=1
remove_embedded_object=1
process_image=1
remove_embedded_font=0
image_quality=high
remove_metadata=0
remove_hyperlink=1
  • remove_macro will remove javascript and document open action

  • remove_embedded_object will remove all embedded objects in pdf file included: attachments, embedded files, ...

  • remove_embedded_font will remove all embedded fonts in pdf file; if enable, it will break the Hebrew or Arabic (non-English) content

  • remove_metadata will remove many privacy information (creator, author,...) from pdf file

  • remove_hyperlink will remove hyperlink annotations.

    • 0: do not remove any kind of hyperlinks.

    • 1: remove hyperlink annotations and pdf reader may convert text links as visible links.

    • 2: remove hyperlink annotations and add null links to prevent pdf reader from converting to visible links. This may add significant performance overheads depending on the number of hyperlinks in the document.

  • image_quality will control the sanitized image quality, default image quality is high(60%) compared with the original. This is only applicable if process_image is enabled (1). This affect file size significantly so please use necessary setting.

  • low

  • medium

  • high (default)

  • very high

  • Java Script

    • CVE-2007-5659

    • CVE-2008-2992

    • CVE-2009-0837

  • Crafted Image

    • CVE-2010-0188

  • Embedded font

    • CVE-2010-2883

jtd

  • Macro

  • Hyperlink

  • Embedded Objects

  • Images

  • Font

  • Document View Styles

[jtd2jtd]
remove_macro=1
remove_hyperlink=1
process_image=1
remove_embedded_object=1
  • embedded object includes OLE objects

 

  • CVE -2001-0214

  • CVE-2007-4246

  • CVE -2011-0609

hwp

  • Embedded Objects

    • Flash file

    • RTF

    • PCT

  • Images

  • Macro

  • Hyperlink

[hwp2hwp]
remove_macro=1
remove_embedded_object=1
process_image=1
process_rtf=1
remove_hyperlink=1
  • remove_macro will remove javascript

  • remove_embedded_object will remove all embedded objects in hwp file including: attachments, embedded files, flash files, and more.

  • process_rtf will sanitize embedded rtf in hwp file. If rtf fails to sanitize, rtf will be removed base on remove_embedded_object configuration

 

  • Crafted RTF

    • CVE-2010-3333

    • CVE-2012-0158

    • CVE-2014-1761

  • Flash file SWF

    • CVE-2011-0609

xml (BETA)

  • XML bomb / oversized payload

  • Recursive payload

  • CData injection

  • XML injection

  • VB Macro

  • Script

[xml2xml]
remove_macro=1
remove_cdata=1
remove_script=1
remove_injection=1
xml_entity_limit=128
  • remove_macro will remove VB macro in MS Word document saved as xml

  • remove_cdata will remove CData injection, as a result removing script too

  • remove_script will remove XML injection, as a result removing script too

  • xml_entity_limit controls the depth of entity expansion

 

  • CVE-2006-1359

  • CVE-2014-6332

  • CVE-2015-0816

  • CVE-2015-2419

  • CVE-2016-0189

  • CVE-2016-9079

jpg

  • Embedded malicious code

    • HTML

    • PHP

    • JAVA script

    • exploit codes

[image]
remove_metadata=0

remove_metadata will remove many privacy information (creator, author, GPS, producer...) from image file.

Only support for jpg2jpg, png2png, tiff2tiff, gif2gif, eps2eps

  • Exploit code

    • CVE-2010-0188

    • CVE-2013-3906

  • Buffer Overflow CVE-2004-0200

  • HTML

    • CVE-2008-2551

  • Java script

    • CVE-2012-5076

bmp

png

tiff

gif

svg

wmf

Additional notes for Metadefender Core v3.x:

  • It is required to restart Metadefender service after changes to the configuration. You can locate the ini file under <Metadefender Core v3.x install directory>\omsDSConfig.ini

Additional notes for Metadefender Core v4.x:

  • To change configuration, log into the Web Management Console then go to Inventory→Engines. Press the edit button on the Data Sanitization row and enter the configuration in the Advanced Engine Configuration box.

  • The modified configuration will be deployed within a few minutes.

  • The is no need to restart Metadefender service.

  • Due to strict file type enforcement, not all the file type listed in this table is supported depending on file type analysis result. For example, if specific file is not detected correctly as PDF, no PDF sanitization will be performed.