About Disarming potentially malicious content in attached documents
Disarm is a new Symantec Messaging Gateway technology that locates and removes potentially malicious content (PMC) from email attachments. You can scan both inbound and outbound messages for Microsoft Office and Adobe PDF attachments that may contain PMC. PMC types include macros, scripts, Flash content, and other exploitable content.
Disarm does not determine whether the content that it detects and removes actually contains malware. Rather, it detects the presence of specified content types within specified document types that have the potential to be exploited and removes them.
When Disarm is enabled, it detects the presence of the PMC in the attached document, deconstructs the attachment, removes the PMC, and reconstructs the document. You can choose the document and PMC types for which to attempt removal. You can also choose to archive the original documents for retrieval later.
Disarm is implemented as an extension of Symantec Messaging Gateway's day-zero detection feature. It extends the functionality of the Symantec Decomposer to:
Recursively extract embedded objects from container document types.
Replace potentially harmful objects with benign or reconstructed versions.
Reconstruct the container documents and reattach them to the email message.
Disarm does not support the scanning of encrypted or password-protected attachments, nor attachments that are compressed using unsupported formats (such as RAR). If a supported container document is nested within other supported documents, then Disarm continues deconstructing documents until it reaches the last nested document or reaches the container limit (See Setting limits on nested files.) Disarm then removes the PMC from the supported type, and reconstructs and reattaches the documents.
PMC removal and reconstruction of documents may affect both visual fidelity and function. Text formatting or images may look different in the reconstructed document. Functionality may be lost if the original documents contain elements such as text input fields that are implemented with macros. Content may be lost as well if you choose to remove embedded files and attachments from a message. Disarm may also have an effect on Symantec Messaging Gateway's overall throughput speed, especially if you choose to scan all supported attachment and PMC types. By default, Disarm is enabled, but it is not activated until you configure a Disarm policy that specifies the types of documents and types of content to remove, and then apply this policy to a group. You can also choose a content filtering action that lets you bypass Disarm. See Filtering policy actions.
Imported Document ID: HOWTO93093
Subscribing will provide email updates when this Article is updated. Login is required.