Preventing Unknown Threats

In this section, we describe in detail, how threats are being prevented, and what hidden objects are being removed during sanitization. For each file type, it is customizable via configuration file, which objects to remove. For example, you can configure to remove macro while keeping hyperlinks. We have only documented a subset of popular threats that sanitization can prevent.

JTD / HWP sanitization is in BETA. Please do not enable for production usage. However, it should not affect other sanitization when it is enabled. Please contact OPSWAT tech support if you have any samples that you would like to share with us for investigation.

file type

(supported) potential threats

configuration

sample

CVE examples

doc

  • OLE Objects

    • Crafted Embedded Multimedia

  • Macros

  • Embedded Objects

    • Script enabled ActiveX Controls

  • Crafted Images

  • Hyperlink

  • Chart

[X2X]
remove_macro=1
remove_embedded_object=1
remove_hyperlink=1
process_image=1
  • remove_macro will remove javascript and document open action

  • remove_embedded_object will remove all embedded objects in file

    • include: attachments, embedded files, activeX, ole object ...

Replace the X above with doc, xls or ppt

  • ActiveX control

    • CVE-2012-0158

  • Crafted Images

    • CVE-2013-1331

    • CVE-2015-2545

  • Embedded Objects

    • CVE-2015-0097

    • CVE-2016-7264

xls

 

ppt

  • Crafted Images

    • CVE-2006-0009

    • CVE-2014-4114

rtf

  • Embedded object

  • Embedded html

No configuration

  • CVE-2012-0158

  • CVE-2014-1761

  • CVE-2015-1641

  • CVE-2015-2424

docx

  • Macro

  • Embedded objects

    • OLE Objects

    • attachment

    • embedded binary file

    • script enabled ActiveX Controls

  • Chart (not support for xlsx)

  • Crafted Images

  • Hyperlink

  • Timing node (pptx only)

[X2X]
remove_macro=1
remove_embedded_object=1
remove_hyperlink=1
process_image=1
  • remove_macro will remove javascript and document open action

  • remove_embedded_object will remove all embedded objects in file included: attachments, embedded files, ...

Replace the X above with docx, xlsx or pptx

  • Crafted Images

    • CVE-2013-3906

  • Hyperlink

    • CVE-2015-1641

  • Embedded Objects

    • CVE-2015-2545

xlsx

  • Embedded Objects

    • CVE-2015-2545

pptx

  • Crafted Images

    • CVE-2014-4114

htm/html

  • Scripts

  • Forms

  • Frames

  • Comments

  • Images

  • Embedded Objects

  • Embedded Java applets

  • Href

[html2html]
remove_script=1
remove_object=1
remove_applet=1
remove_form=1
remove_comment=1
remove_iframe=1
process_tags=2
  • process_tags has value: 0|1|2
    ;0: do nothing
    ;1: Ex1: Please click <a href="<script>....</script>">here</a> => Please click here ;
    Ex2: Please click <a href="https://www.opswat.com">https://www.opswat.com</a> => Please click https://www.opswat.com ;
    Ex3: Please click <a href="https://www.opswat.com">here</a> => Please click here (https://www.opswat.com)
    ;2: remove "href" attribute

  • Comments

    • CVE-2013-2551

  • Scripts

    • CVE-2006-1359

    • CVE-2014-6332

    • CVE-2015-0816

    • CVE-2015-2419

    • CVE-2016-0189

    • CVE-2016-9079

pdf

  • Hyperlink

  • Actions/Java Script

  • Annotation

  • Attachments

  • Forms/Fields

  • Multimedia Objects

  • Images

  • Embedded font

[pdf2pdf]
remove_macro=1
remove_embedded_object=1
process_image=1
remove_embedded_font=0
image_quality=10
  • remove_macro will remove javascript and document open action

  • remove_embedded_object will remove all embedded objects in pdf file included: attachments, embedded files, ...

  • remove_embedded_font will remove all embedded fonts in pdf file; if enable, it will break the Hebrew or Arabic (non-English) content

  • Java Script

    • CVE-2007-5659

    • CVE-2008-2992

    • CVE-2009-0837

  • Crafted Image

    • CVE-2010-0188

  • Embedded font

    • CVE-2010-2883

jtd (BETA)

  • Macro

  • Hyperlink

  • Embedded Objects

  • Images

  • Font

  • Document View Styles

[jtd2jtd]
remove_macro=1
remove_hyperlink=1
process_image=1
remove_embedded_object=1
  • embedded object includes OLE objects

coming soon

coming soon

hwp (BETA)

  • Embedded Objects

    • Flash file

    • RTF

    • PCT

  • Images

  • Macro

  • Hyperlink

[hwp2hwp]
remove_macro=1
remove_embedded_object=1
process_image=1
process_rtf=1
remove_hyperlink=1
  • remove_macro will remove javascript

  • remove_embedded_object will remove all embedded objects in hwp file including: attachments, embedded files, flash files, and more.

  • process_rtf will sanitize embedded rtf in hwp file. If rtf fails to sanitize, rtf will be removed base on remove_embedded_object configuration

coming soon

  • Crafted RTF

    • CVE-2010-3333

    • CVE-2012-0158

    • CVE-2014-1761

  • Flash file SWF

    • CVE-2011-0609

xml (BETA)

  • XML bomb / oversized payload

  • Recursive payload

  • CData injection

  • XML injection

  • VB Macro

  • Script

[xml2xml]
remove_macro=1
remove_cdata=1
remove_injection=1
; entity expansion limit
xml_entity_limit=128
  • xml_entity_limit: XML entity expansion limit, condition for checking XML bomb

  • remove_macro will remove VB macro in MS Word document saved as xml

  • remove_cdata will remove CData injection, as a result removing script too

coming soon

  • CWE-776

jpg

  • Embedded malicious code

    • HTML

    • PHP

    • JAVA script

    • exploit codes

No configuration

  • Exploit code

    • CVE-2010-0188

    • CVE-2013-3906

  • Buffer Overflow CVE-2004-0200

  • HTML

    • CVE-2008-2551

  • Java script

    • CVE-2012-5076

bmp

png

tiff

gif

svg

Additional notes for Metadefender Core v3.x:

  • It is required to restart Metadefender service after changes to the configuration. You can locate the ini file under <Metadefender Core v3.x install directory>\omsDSConfig.ini

Additional notes for Metadefender Core v4.x:

  • To change configuration, log into the Web Management Console then go to Inventory→Engines. Press the edit button on the Data Sanitization row and enter the configuration in the Advanced Engine Configuration box.

  • The modified configuration will be deployed within a few minutes.

  • The is no need to restart Metadefender service.