Safe Print

Ability to safe print message attachments

You can configure your email gateway to provide a safe view (safe-printed PDF version) of a message attachment detected as malicious or suspicious. The safe view of the message attachment is delivered to the end-user and the original attachment is stripped from the message.

You can use the 'Safe Print' content filter action to safe print all message attachments that match a configured content filter condition.

The ability to safe print message attachments in the email gateway helps an organization to:
• Prevent message attachments with malicious or suspicious content from entering an organization network.
• View malicious or suspicious message attachments without being affected by malware.
• Deliver the original message attachment based on the end-user request.

For more information, see the “Safe Print” guide.


  • Safe Print (content disarm) allows for attachments to be converted into a image and embedded in a PDF
  • Use the ‘Safe Print’ content filter action to safe print all message attachments that match a configured content filter condition
  • Watermark & cover page are optional
1073

Security Services > Scan Behavior: Edit Global Settings

635

Example output of Safe Print

File Types supported in 13.0.0-228:

Document
AcroExch.Document(.pdf)
Hancom Office File(.hwp)
Xhtmlfile(.xhtml)
Xmlfile(.xml)

Microsoft Documents
PowerPoint.Show.12(.pptx)
PowerPoint.Show.8(.ppt)
PowerPoint.ShowMacroEnabled.12(.pptm)
PowerPoint.SlideShow.12(.ppsx)
PowerPoint.SlideShowMacroEnabled.12(.ppsm)
PowerPoint.Template.12(.potx)
PowerPoint.Template.8(.pot)
PowerPoint.TemplateMacroEnabled.12(.potm)
Powerpointxmlfile(.pptxml)
Word.Document.12(.docx)
Word.Document.8(.doc)
Word.Template.12(.dotx)
Word.Template.8(.dot)
Word.TemplateMacroEnabled.12(.dotm)
Wordhtmlfile(.dochtml)

Cisco recommended content filter for Safe Print:

943

Content Filter used in Incoming Mail Policies

Safe Print: CLI

myESA.local> scanconfig


There are currently 5 attachment type mappings configured to be SKIPPED.

Choose the operation you want to perform:
- NEW - Add a new entry.
- DELETE - Remove an entry.
- SETUP - Configure scanning behavior.
- IMPORT - Load mappings from a file.
- EXPORT - Save mappings to a file.
- PRINT - Display the list.
- CLEAR - Remove all entries.
- SMIME - Configure S/MIME unpacking.
- SAFEPRINT - Configure safeprint settings.
[]> SAFEPRINT

Enter the maximum attachment size that you can safe print.
[5242880]>

Enter the maximum number of pages that you can safe print in an attachment.
[10]>

Do you want to use the recommended image quality value to safe print an attachment? [Y]>

Do you want to modify the file types selected to safe print an attachment? [N]>

<~~~snip~~~ >

Safe Print: mail_log example

Mon Jul 29 16:33:05 2019 Info: New SMTP ICID 23609 interface Data 1 (139.138.39.175) address 136.56.60.2 reverse dns host unknown verified no
Mon Jul 29 16:33:05 2019 Info: ICID 23609 ACCEPT SG WHITELIST match 136.56.60.2 SBRS 0.9 country United States
Mon Jul 29 16:33:05 2019 Info: Start MID 2999 ICID 23609
Mon Jul 29 16:33:05 2019 Info: MID 2999 ICID 23609 From: <[email protected]>
Mon Jul 29 16:33:06 2019 Info: MID 2999 ICID 23609 RID 0 To: <[email protected]>
Mon Jul 29 16:33:06 2019 Info: MID 2999 DMARC: Message from domain igo232.com, DMARC pass (SPF aligned True, DKIM aligned False)
Mon Jul 29 16:33:06 2019 Info: MID 2999 DMARC: Verification passed
Mon Jul 29 16:33:06 2019 Info: MID 2999 Message-ID '<20190729072800.018231@mykali>'
Mon Jul 29 16:33:06 2019 Info: MID 2999 Subject 'test Mon, 29 Jul 2019 07:28:00 -0400'
Mon Jul 29 16:33:06 2019 Info: MID 2999 SDR: Domains for which SDR is requested: reverse DNS host: Not Present, helo: mykali, env-from: igo232.com, header-from: igo232.com, reply-to: Not Present
Mon Jul 29 16:33:07 2019 Info: MID 2999 SDR: Consolidated Sender Reputation: Neutral, Threat Category: N/A. Youngest Domain Age: 7 years 1 month 15 days for domain: [email protected]
Mon Jul 29 16:33:07 2019 Info: MID 2999 SDR: Tracker Header : hPaLYnBZmLkwl4Afo2n7iKCWnE4XN1Ku2c3Eqa4MybIvyBA9qTJhvkRCDVghJd0q2fGXsIbXMlvJcXPZi5+9r6EmrMTJryOMKxmSCkE0OU6Mz0F/STrXXV1TJa3Kiap9hUzV99yGzFI7o4Sdxh9Gzxqe1gSxHKSWl6eXlw8AbvrQrfbzPLIEM+w4YNH9LTV9YSGb685jMPZ1JVyB1uEMajtBBuSEj5y43Ko5YgsoMH+P8mnWKEGYuwyA1sA9XLJpY8BjaMfhoFEMIuc0ux3ri/K8JMosaGm2Kh7Sxdd+xbAs73sc2Sw7oocV9GLHWUlw
Mon Jul 29 16:33:07 2019 Info: MID 2999 ready 6854 bytes from <[email protected]>
Mon Jul 29 16:33:07 2019 Info: MID 2999 matched all recipients for per-recipient policy DEFAULT in the inbound table
Mon Jul 29 16:33:07 2019 Info: ICID 23609 close
Mon Jul 29 16:33:08 2019 Info: MID 2999 interim verdict using engine: CASE spam negative
Mon Jul 29 16:33:08 2019 Info: MID 2999 using engine: CASE spam negative
Mon Jul 29 16:33:08 2019 Info: MID 2999 interim AV verdict using Sophos CLEAN
Mon Jul 29 16:33:08 2019 Info: MID 2999 antivirus negative
Mon Jul 29 16:33:08 2019 Info: MID 2999 AMP file reputation verdict : LOWRISK
Mon Jul 29 16:33:08 2019 Info: MID 2999 using engine: GRAYMAIL negative
**Mon Jul 29 16:33:08 2019 Info: MID 2999 attachment 'Bank_URL.docx'
Mon Jul 29 16:33:08 2019 Info: MID 2999 The attachment(s) are successfully safe-printed, Filename(s): Bank_URL.docx
Mon Jul 29 16:33:08 2019 Info: MID 2999 rewritten to MID 3000 by safeprint-all-attachments-strip-unscan filter 'CF_Safe_Print'
Mon Jul 29 16:33:08 2019 Info: Message finished MID 2999 done
Mon Jul 29 16:33:08 2019 Info: MID 3000 Custom Log Entry: <<< === SAFE PRINT TRIGGERED === >>>
Mon Jul 29 16:33:08 2019 Info: MID 3000 attachment 'safe_print_Bank_URL.pdf'**
Mon Jul 29 16:33:08 2019 Info: MID 3000 using engine: CASE using cached verdict
Mon Jul 29 16:33:08 2019 Info: CASE cache status: hits = 2, misses = 2, expires = 0, adds = 2, seconds saved = 1.23, total seconds = 2.46
Mon Jul 29 16:33:08 2019 Info: MID 3000 Outbreak Filters: verdict negative
Mon Jul 29 16:33:08 2019 Info: MID 3000 rewritten to MID 3001 by add-heading filter 'Heading Stamping'
Mon Jul 29 16:33:08 2019 Info: Message finished MID 3000 done
Mon Jul 29 16:33:08 2019 Info: MID 3001 queued for delivery
Mon Jul 29 16:33:08 2019 Info: New SMTP DCID 65626 interface 139.138.39.175 address 173.37.147.230 port 25
Mon Jul 29 16:33:09 2019 Info: DCID 65626 TLS success protocol TLSv1.2 cipher ECDHE-RSA-AES256-GCM-SHA384
Mon Jul 29 16:33:09 2019 Info: Delivery start DCID 65626 MID 3001 to RID [0]
Mon Jul 29 16:33:09 2019 Info: Message done DCID 65626 MID 3001 to RID [0] [('from', '[email protected]')]
Mon Jul 29 16:33:09 2019 Info: MID 3001 RID [0] Response 'ok:  Message 180897038 accepted'
Mon Jul 29 16:33:09 2019 Info: Message finished MID 3001 done
Mon Jul 29 16:33:14 2019 Info: DCID 65626 close

Safe Print: routing and viewing

During Beta, most customers have SMTP routing all mail to /dev/null.

If you would like to see the attachments that are being scanned and then passed thru Safe Print, do the following content filter:

886

This will not only save a copy of the before-Safe Print document, but this will also place the document post-Safe Print into the Policy Quarantine, allowing you to view and download it.

Here, from my SMA, looking at the Policy Quarantine we have the one email quarantined, Subject: TEST:

1304

When we click on Subject: TEST, we can see the message details. Clicking on "safe_print_thursday.pdf", the file will download from the quarantined message to my local folder, allowing me to open:

1303

Here is the downloaded PDF:

1231 1231