Trustwave Unpacker Release Notes
Last Revision:
February 26, 2019
The Unpacker module is used by Trustwave Content Security products
(SEG, ECM, and WebMarshal). Updates are made available for recent versions through the Automatic
Updates service. Each product release includes the current update of Unpacker.
For details of the Unpacker versions published for each product version, see
Trustwave Knowledgebase article
Q20446.
Note: File extensions are provided in this document for
reference only. The Unpacker extracts files based on their structure as
determined by Trustwave File Type, and not by
the file name or extension.New Features
For more information about additional minor features and bug fixes,
see the
release history.
Features new in 2.5.5
- ACE archives are not unpacked.
Features new in 2.5.3
- Microsoft OneNote files are unpacked.
Features new in 2.5.0
- Unpacked files use the "Temporary" file attribute to
increase caching and reduce writing to disk. Performance is
significantly enhanced.
Features new in 2.4.2
- Decompression executables can be
replaced by the updater.
- Macros are extracted from Office 2003 and Office 2007
documents (type "OfficeMacroScript").
Features new in 2.3.6
- Compressed streams are extracted from ActiveMime (MSO)
containers.
Features new in 2.3.5
- Microsoft Compiled Help files (.CHM) are
unpacked.
Features new in 2.3.1
- Header and footer entries within Excel 2007 documents are
unpacked.
Features new in 2.3.0
- Additional types unpacked
- PowerPoint 2007 Show
files (PPSX)
Release History
The following items have been changed or updated in the
specific build versions of Unpacker listed.
2.5.5 (February 26, 2019)
UNPACK-206 |
Unpacking of BIFF12 data could fail when converting from Unicode
to multibyte strings. Fixed. |
UNPACK-207 |
ACE archives are not unpacked. |
2.5.4 (January 24, 2019)
FT-187 |
Office 2007 content files are identified as XML. |
UNPACK-184 |
Certain RTF exploits now return unique Deadletter codes for
improved granularity of processing. |
UNPACK-186 |
Specific PPTX files could cause a deadletter. Fixed. |
UNPACK-189 |
The change in UNPACK-156 caused unwanted repacking of email
bodies when headers were updated. This change has been reverted.
To repack email parts, execute an external command for each
part. |
UNPACK-204 |
Unpacking of BIFF12 data could fail with an infinite loop.
Fixed. |
2.5.3 (July 10, 2018)
UNPACK-157 |
Excess information logged in debug mode has been removed. |
UNPACK-162 |
External commands making changes to the parent message ("run
only once") did not trigger repacking of the message. Fixed. |
UNPACK-164 |
Empty data from large Office Binary documents is handled more
efficiently. |
UNPACK-166 |
Some embedded URIs were not extracted from PDF documents. Fixed. |
UNPACK-172 |
Files unpacked from PDF documents now specify the "Temporary"
file attribute. |
UNPACK-174 |
Filenames of unpacked attachments use extensions found in the
MIME headers, or extensions commonly used for the MIME type. |
UNPACK-178 |
Microsoft OneNote files are unpacked. |
2.5.2 (December 5, 2017)
UNPACK-144 |
Office document unpacking now allows additional levels of
relationship files. |
UNPACK-145 |
Additional embedded Office document types are unpacked from OLE
streams. |
2.5.1 (October 4, 2017)
UNPACK-133 |
Extracted symbolic links could point to files that do not exist.
Fixed: these links are excluded from the list of unpacked files. |
UNPACK-134 |
EMFBlip files are extracted from RTF documents. |
UNPACK-135 |
Message content-types were not correctly handled in some cases
where no parameters were required. |
UNPACK-138 |
MIME boundaries containing character set, language, and
continuation tags are handled. |
2.4.3.506 (July 20, 2017)
UNPACK-54 |
Additional elements unpacked from Office 2007 documents are
available for scanning. |
UNPACK-115 |
Macros are extracted from encrypted Word documents. |
UNPACK-120 |
Some Office 2003 and Office 2007 macros were not extracted where optional
fields were not present. Fixed. |
UNPACK-121 |
Unpacked files now specify the "Temporary" file attribute.
Performance is enhanced. |
UNPACK-126 |
URL targets that are HTTP/S or FTP/S links are extracted from
Office documents and are available for scanning by other
components. |
UNPACK-129 |
Calls to external executables are fully quoted. |
2.4.4 (April 11, 2017)
UNPACK-56 |
PDF extraction of RawStream objects has been optimized.
Image objects are written in compressed format. |
UNPACK-116 |
Base64 decoding has been improved when comments
are present in the stream. |
2.4.3 (March 28, 2017)
UNPACK-110 |
Malformed messages with no separator between the header and the
body are deadlettered. These messages violate RFC standards and
are generally not rendered by email clients. |
UNPACK-111 |
Text in BIFF12 format within .XLSB files is extracted. |
UNPACK-113 |
Office documents that contained malformed VBA macros could cause
the Engine to stop. Fixed. |
UNPACK-118 |
Office document schema detection is improved. |
2.4.2 (December 15, 2016)
UNPACK-86 |
Macros are extracted from Office 2003 and Office 2007 documents. |
UNPACK-94 |
When unpacking text from Word 2007 documents, drawing elements
are no longer included. |
UNPACK-96 |
When unpacking Office 2007 documents, files marked as XML are
validated as text type before being parsed. |
UNPACK-98 |
When unpacking Office 2007 documents, custom UI "extensibililty"
files are not unpacked. |
UNPACK-99 |
Decompression executables can be
replaced by the updater. |
UNPACK-102 |
OLE objects could be incorrectly identified as Word documents
and unpacking would fail. Fixed by an update to file type
checking in File Type release 7.14.0. |
UNPACK-103 |
MSO files that do not contain a compressed stream are not
unpacked. |
UNPACK-105 |
File names that included disallowed characters caused unpacking
to fail. Fixed. |
2.4.1 (June 9, 2016)
UNPACK-91 |
Extended unpacking of XLSX files failed when the index file
referred to an object that did not exist in the archive. Fixed. |
UNPACK-92 |
Word "attachedToolbars" parts are now ignored in unpacking. |
2.4.0 (May 19, 2016)
UNPACK-90 |
Logging of file names containing certain characters caused the
Engine to stop. Fixed. |
2.3.9 (April 26, 2016)
UNPACK-89 |
Messages with blank lines in the headers were not correctly
repacked in some cases. Fixed. |
2.3.8 (April 5, 2016)
UNPACK-83 |
Processing an EMF file with a % character in the name caused the
Engine to stop. Fixed. |
2.3.7 (March 10, 2016)
UNPACK-82 |
An unpack error could occur when headers contained more than one
blank folded line. Fixed. |
2.3.6 (March 3, 2016)
UNPACK-75 |
S/MIME attachments were not included in attachment stripping
actions. Fixed. |
UNPACK-78 |
Binary items unpacked from a PDF file no longer contribute to the
attachment stripping size limit calculations. |
UNPACK-79 |
Compressed streams are extracted from ActiveMime (MSO)
containers. |
UNPACK-81 |
Some Base64 encoded attachments were not correctly unpacked.
Fixed. |
2.3.5 (February 4, 2016)
UNPACK-45 |
Microsoft compiled Help files (.CHM) are
unpacked. Binary items unpacked from these files have the file
type CHMBINOBJ. |
UNPACK-47 |
Binary items unpacked from a PDF file no longer contribute to the
unpacking size limit calculations. |
UNPACK-70 |
URI actions are extracted from PDF files and can be scanned by
TextCensor and URL Categorizer. |
2.3.4 (December 8, 2015)
UNPACK-69 |
In Unpacker 2.3.2, a specific file caused a fault in TNEF
unpacking. Fixed. |
UNPACK-71 |
Naming of unique unpacked files is improved to avoid false
detection of file extensions. |
UNPACK-72 |
Additional ODTTF files are recognized. |
2.3.2 (November 23, 2015)
UNPACK-68 |
Unpacker version 2.3.1 with SEG version 7.3.X caused deadlettering of messages that had
a message stamp applied. Fixed. |
2.3.1 (November 12, 2015)
UNPACK-61 |
The number of base64 attachments that can be unpacked has been
greatly increased
by better naming of unique unpacked files. |
UNPACK-62 |
Some attachments within TNEF messages were not unpacked. Fixed. |
UNPACK-63 |
Header and footer entries within Excel 2007 documents are
unpacked. |
UNPACK-64 |
Office 2007 unpacking did not handle named namespaces. Fixed. |
UNPACK-65 |
Unpacking of ASN1 objects incorrectly checked for zero lengths
in some identifiers. Fixed. |
UNPACK-66 |
The number of OLE objects allowed before deadlettering is
increased from 16000 to 64000. |
2.3.0 (November 4, 2015)
UNPACK-25 |
PDF unpacking continues if an error occurs in unpacking one
part. |
UNPACK-50 |
PDF unpacking adds page separators. |
UNPACK-53 |
PowerPoint 2007 Show files (PPSX) are unpacked. |
2.1.5 and 2.2.0 (May 3, 2015)
UNPACK-49 |
Messages with embedded EMF files could be deadlettered due to
incorrect unpacking of the containing RTF files. |
2.1.4 (April 21, 2015)
UNPACK-44 |
ODTTF files are recognized in XPS documents. |
UNPACK-46 |
RTF files with section formatting properties were deadlettered. |
Changes prior to those listed were mentioned in the Trustwave SEG or
Trustwave ECM Release Notes.
Legal Notice
Copyright ©
2019
Trustwave Holdings, Inc.
All rights reserved. This document is protected by copyright and any
distribution, reproduction, copying, or decompilation is strictly prohibited
without the prior written consent of Trustwave. No part of this document may be
reproduced in any form or by any means without the prior written authorization
of Trustwave. While every precaution has been taken in the preparation of this
document, Trustwave assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
While the authors have used their best efforts in preparing this document,
they make no representation or warranties with respect to the accuracy or
completeness of the contents of this document and specifically disclaim any
implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales
materials. The advice and strategies contained herein may not be suitable for
your situation. You should consult with a professional where appropriate.
Neither the author nor Trustwave shall be liable for any loss of profit or any
commercial damages, including but not limited to direct, indirect, special,
incidental, consequential, or other damages.
Trademarks
Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks
shall not be used, copied, or disseminated in any manner without the prior
written permission of Trustwave.
About Trustwave®
Trustwave helps businesses fight cybercrime,
protect data and reduce security risk. With cloud and managed security services,
integrated technologies and a team of security experts, ethical hackers and
researchers, Trustwave enables businesses to transform the way they manage their
information security and compliance programs. More than three million businesses
are enrolled in the Trustwave TrustKeeper® cloud platform, through which
Trustwave delivers automated, efficient and cost-effective threat, vulnerability
and compliance management. Trustwave is headquartered in Chicago, with customers
in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.