Trustwave Unpacker Release Notes

Last Revision: October 03, 2017

The Unpacker module is used by Trustwave SEG and Trustwave ECM. Updates are made available for recent versions through the Automatic Updates service. Each product release includes the current update of Unpacker.

Note: File extensions are provided in this document for reference only. The Unpacker extracts files based on their structure as determined by Trustwave File Type, and not by the file name or extension.

New Features

For more information about additional minor features and bug fixes, see the release history.

Features new in 2.5.0

Features new in 2.4.2

Features new in 2.3.6

Features new in 2.3.5

Features new in 2.3.1

Features new in 2.3.0

Release History

The following items have been changed or updated in the specific build versions of Unpacker listed.

2.5.1 (October 03, 2017)

UNPACK-133 Extracted symbolic links could point to files that do not exist. Fixed: these links are excluded from the list of unpacked files.
UNPACK-134 EMFBlip files are extracted from RTF documents.
UNPACK-135 Message content-types were not correctly handled in some cases where no parameters were required.
UNPACK-138 MIME boundaries containing character set, language, and continuation tags are handled. (July 20, 2017)

UNPACK-54 Additional elements unpacked from Office 2007 documents are available for scanning.
UNPACK-115 Macros are extracted from encrypted Word documents.
UNPACK-120 Some Office 2003 and Office 2007 macros were not extracted where optional fields were not present. Fixed.
UNPACK-121 Unpacked files now specify the "Temporary" file attribute. Performance is enhanced.
UNPACK-126 URL targets that are HTTP/S or FTP/S links are extracted from Office documents and are available for scanning by other components.
UNPACK-129 Calls to external executables are fully quoted.

2.4.4 (April 11, 2017)

UNPACK-56 PDF extraction of RawStream objects has been optimized. Image objects are written in compressed format.
UNPACK-116 Base64 decoding has been improved when comments are present in the stream.

2.4.3 (March 28, 2017)

UNPACK-110 Malformed messages with no separator between the header and the body are deadlettered. These messages violate RFC standards and are generally not rendered by email clients.
UNPACK-111 Text in BIFF12 format within .XLSB files is extracted.
UNPACK-113 Office documents that contained malformed VBA macros could cause the Engine to stop. Fixed.
UNPACK-118 Office document schema detection is improved.

2.4.2 (December 15, 2016)

UNPACK-86 Macros are extracted from Office 2003 and Office 2007 documents.
UNPACK-94 When unpacking text from Word 2007 documents, drawing elements are no longer included.
UNPACK-96 When unpacking Office 2007 documents, files marked as XML are validated as text type before being parsed.
UNPACK-98 When unpacking Office 2007 documents, custom UI "extensibililty" files are not unpacked.
UNPACK-99 Decompression executables can be replaced by the updater.
UNPACK-102 OLE objects could be incorrectly identified as Word documents and unpacking would fail. Fixed by an update to file type checking in File Type release 7.14.0.
UNPACK-103 MSO files that do not contain a compressed stream are not unpacked.
UNPACK-105 File names that included disallowed characters caused unpacking to fail. Fixed.

2.4.1 (June 9, 2016)

UNPACK-91 Extended unpacking of XLSX files failed when the index file referred to an object that did not exist in the archive. Fixed.
UNPACK-92 Word "attachedToolbars" parts are now ignored in unpacking.

2.4.0 (May 19, 2016)

UNPACK-90 Logging of file names containing certain characters caused the Engine to stop. Fixed.

2.3.9 (April 26, 2016)

UNPACK-89 Messages with blank lines in the headers were not correctly repacked in some cases. Fixed.

2.3.8 (April 5, 2016)

UNPACK-83 Processing an EMF file with a % character in the name caused the Engine to stop. Fixed.

2.3.7 (March 10, 2016)

UNPACK-82 An unpack error could occur when headers contained more than one blank folded line. Fixed.

2.3.6 (March 3, 2016)

UNPACK-75 S/MIME attachments were not included in attachment stripping actions. Fixed.
UNPACK-78 Binary items unpacked from a PDF file no longer contribute to the attachment stripping size limit calculations.
UNPACK-79 Compressed streams are extracted from ActiveMime (MSO) containers.
UNPACK-81 Some Base64 encoded attachments were not correctly unpacked. Fixed.

2.3.5 (February 4, 2016)

UNPACK-45 Microsoft compiled Help files (.CHM) are unpacked. Binary items unpacked from these files have the file type CHMBINOBJ.
UNPACK-47 Binary items unpacked from a PDF file no longer contribute to the unpacking size limit calculations.
UNPACK-70 URI actions are extracted from PDF files and can be scanned by TextCensor and URL Categorizer.

2.3.4 (December 8, 2015)

UNPACK-69 In Unpacker 2.3.2, a specific file caused a fault in TNEF unpacking. Fixed.
UNPACK-71 Naming of unique unpacked files is improved to avoid false detection of file extensions.
UNPACK-72 Additional ODTTF files are recognized.

2.3.2 (November 23, 2015)

UNPACK-68 Unpacker version 2.3.1 with SEG version 7.3.X caused deadlettering of messages that had a message stamp applied. Fixed.

2.3.1 (November 12, 2015)

UNPACK-61 The number of base64 attachments that can be unpacked has been greatly increased by better naming of unique unpacked files.
UNPACK-62 Some attachments within TNEF messages were not unpacked. Fixed.
UNPACK-63 Header and footer entries within Excel 2007 documents are unpacked.
UNPACK-64 Office 2007 unpacking did not handle named namespaces. Fixed.
UNPACK-65 Unpacking of ASN1 objects incorrectly checked for zero lengths in some identifiers. Fixed.
UNPACK-66 The number of OLE objects allowed before deadlettering is increased from 16000 to 64000.

2.3.0 (November 4, 2015)

UNPACK-25 PDF unpacking continues if an error occurs in unpacking one part.
UNPACK-50 PDF unpacking adds page separators.
UNPACK-53 PowerPoint 2007 Show files (PPSX) are unpacked.

2.1.5 and 2.2.0 (May 3, 2015)

UNPACK-49 Messages with embedded EMF files could be deadlettered due to incorrect unpacking of the containing RTF files.

2.1.4 (April 21, 2015)

UNPACK-44 ODTTF files are recognized in XPS documents.
UNPACK-46 RTF files with section formatting properties were deadlettered.

Changes prior to those listed were mentioned in the Trustwave SEG or Trustwave ECM Release Notes.

Legal Notice

Copyright © 2017 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.


Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit