Protect Mode
    • PDF

    Protect Mode

    • PDF

    Article summary

    Overview

    In Protect Mode, Content Management Policies allow control of various file content types such as file attachments, executable code, interactive form content and a number of actions (e.g., external links or the execution of JavaScripts). These file elements are known to be common attack vectors when they are encountered within a file. The Content Management Policy will define how the Glasswall Embedded Engine should process these structures. Content Management Policy differs across supported file types.

    The active Content Management Policy can be updated on a file by file basis, but must be set prior to processing the file. In the event that Content Management Policies have not been set before processing documents, the Glasswall default settings are applied, and all configurable content is sanitised by default.

    Protect Process

    In Protect Mode (as per in Analysis mode), an input file is read in and the manufacturer's specification is used to validate each byte as it is processed. This allows all the data structures (content items) within the file to be syntactically validated. If the data structures pass syntax validation, they are subjected to further semantic checks. Those data structures that have passed both syntax and semantic validation are then written out to the new version of the input file that is regenerated on a data structure by data structure basis.

    If a data structure does not pass validation, an attempt is made to repair the structure in accordance with the manufacturer's specification (remediation) before it is written to the regenerated file. If this cannot be done, an issue is reported, as the file cannot be safely regenerated. The file is then quarantined.

    Whilst the input file is being read in, the Content Management policies are used to decide if key file content types, for example, macros or embedded files, are required in the regenerated file. If these items are not required, they are not written to the regenerated file and the action is reported as a sanitisation. The resulting file is clean and compliant that is visually identical to the original.

    Protected Files

    Files that have been processed in Protect mode and have been regenerated are fully compliant with the manufacturer's specification and, depending on the content management policies applied, may have had a number of active data items removed from the file. If all of the content management policies were applied and set to Sanitise in Protect Mode and if the regenerated file was subsequently reprocessed in Analysis mode, there would be no issue items, no remedy items, and no sanitisation items reported in the associated analysis report.


    Learn more


    Was this article helpful?