Last Revision:
September 20, 2023
The Unpacker module is used by Trustwave MailMarshal (SEG), Trustwave ECM, and WebMarshal. Updates are made available for recent versions through the Automatic Updates service. Each product release includes the current update of Unpacker.
For details of the Unpacker versions published for each product version, see Trustwave Knowledgebase article Q20446.
For more information about additional minor features and bug fixes, see the release history.
For earlier updates, see previous versions of Release Notes.
The following items have been changed or updated in the specific build versions of Unpacker listed.
| FT-281 | RAR archives with only some files password encrypted are correctly detected and usable files are passed to the unpacker. |
| UNPACK-380 | Unpacker release versions now are numbered by the calendar year and quarter. |
| UNPACK-383 | Unpacking did not honor the content-disposition Attachment in specific cases. Fixed. |
| UNPACK-384 | An updated version of the PDF unpacker is included. |
| UNPACK-387 | Password extraction for encrypted archives could cause the MailMarshal Engine to stop unexpectedly. Fixed. |
| UNPACK-375 | The unpacker configuration file generated by default enabled OCR functionality. Fixed: this functionality is disabled by default. |
| UNPACK-368 | Searching of message body text for passwords (UNPACK-358) is limited to the first 10KB of text. |
| UNPACK-351 | Unpacking of multi-part/related messages is more resilient to unexpected order of content headers. |
| UNPACK-355 | Office 2007 document text unpacking in multi-threaded processing is more efficient. |
| UNPACK-356 | URL extraction discarded all results if one invalid URL was found. Fixed. |
| UNPACK-358 | Unpacking of encrypted/passworded archives is attempted using default passwords and likely passwords extracted from email message text. (Available with MailMarshal/SEG only.) |
| UNPACK-363 | Unpacking of certain self extracting executables failed with ASN1 error due to encoding of an included certificate. Fixed. |
| UNPACK-365 | MSI files are unpacked. |
| UNPACK-125 | Office documents saved as XML are unpacked. |
| UNPACK-341 | URL extraction (Shurlock) better handles quoted URLs in HTML message bodies. |
| UNPACK-345 | VBA macros using a new extended specification were not unpacked. Fixed. |
| UNPACK-347 | Deploy of an updated FileType DLL could be blocked because the old file was not fully released. Fixed. |
| UNPACK-348 | URL extraction (Shurlock) used excessive processing time in some cases. Fixed. |
| UNPACK-349 | URL extraction (Shurlock) maintains the case of extracted items. |
| UNPACK-350 | Office 2007 unpacking stopped processing relationship links if one linked file did not exist. Fixed. |
| UNPACK-136 | Message unpacking failed where a header name was quoted. Fixed. |
| UNPACK-205 | BIFF12 unpacking is improved. |
| UNPACK-317 | PDF unpacking is limited to 240 seconds by default. |
| UNPACK-323 | Specific Outlook messages could cause the Engine to fail. Fixed. |
| UNPACK-324 | Perfornance of the OCR unpacker is enhanced and extraction is time limited. |
| UNPACK-325 | Certain Excel documents were not properly parsed where string type flags were missing or incorrectly interpreted. Fixed. |
| UNPACK-329 | Large amounts of unwanted text could be unpacked from Excel 2007 documents due to some custom properties being treated as BIFF12 data. Fixed. |
| UNPACK-330 | Additional components are unpacked by default (previously only unpacked when YAE script rules were enabled). |
| UNPACK-332 | Licensing for an updated version of the PDF unpacker is included. |
| UNPACK-316 | Text content can be extracted from images. |
| UNPACK-270 | Unpacking of calendar backups with a large number of items could fail. Fixed. |
| UNPACK-276 | Universal Disk Format (.UDF) files are unpacked. |
| UNPACK-277 | Extraction of VBA macros from Publisher (.PUB) documents is improved. |
| UNPACK-281 | Additional BIFF12 records are unpacked. |
| UNPACK-285 | Unpacking speed is improved where many named sub-items are created. |
| UNPACK-286 | BIFF8 records in Excel 4 (pre-2007) files are unpacked. |
| UNPACK-287 | Additional BIFF12 records are unpacked from Excel 2007 files. |
| UNPACK-288 | Macro script is unpacked from OLE format files including encrypted Excel 97-2003 files. |
| UNPACK-304 | Updated licensing for the PDF unpacker is included. |
| UNPACK-312 | Office documents with a specific format in the relationship files caused unpacking to fail. Fixed. |
| UNPACK-271 | Images smaller than 70x70 pixels are not extracted from PDF documents by default. This option enhances performance when processing PDF documents containing very large numbers of inline images. |
| UNPACK-195 | Handling of lines containing invalid characters within a Base64 section is improved. |
| UNPACK-216 | Specific messages with a malformed multipart section were unpacked incorrectly without an error being reported. Fixed. |
| UNPACK-220 | Specific XSLX files with binary metadata could cause a deadletter. Fixed. |
| UNPACK-221 | Licensing for an updated version of the PDF unpacker is included. |
| UNPACK-206 | Unpacking of BIFF12 data could fail when converting from Unicode to multibyte strings. Fixed. |
| UNPACK-207 | ACE archives are not unpacked. |
| UNPACK-184 | Certain RTF exploits now return unique Deadletter codes for improved granularity of processing. |
| UNPACK-189 | The change in UNPACK-163 caused unwanted repacking of email bodies when headers were updated. This change has been reverted. To repack email parts, execute an external command for each part. |
| UNPACK-204 | Unpacking of BIFF12 data could fail with an infinite loop. Fixed. |
This release is provided in the installation package of SEG 8.2.0 and 8.2.1.
| FT-127 | Office 2007 content files are identified as XML. |
| UNPACK-186 | Specific PPTX files could cause a deadletter. Fixed. |
For earlier updates, see previous versions of Release Notes.
Copyright © 2023 Trustwave Holdings, Inc.
All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
While the authors have used their best efforts in preparing this document,
they make no representation or warranties with respect to the accuracy or
completeness of the contents of this document and specifically disclaim any
implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales
materials. The advice and strategies contained herein may not be suitable for
your situation. You should consult with a professional where appropriate.
Neither the author nor Trustwave shall be liable for any loss of profit or any
commercial damages, including but not limited to direct, indirect, special,
incidental, consequential, or other damages.
Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.
Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave Fusion® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.