Attackers are known to use active content embedded in a document, file, email or other communication to execute malicious code or enable other malicious activity on a victim's computer. Active content may include any content embedded in an electronic file or document or email and configured to carry out an action or trigger an action. Common forms of active content include word processing and spreadsheet macros, formulas, or scripts, JavaScript code within Portable Document Format (PDF) documents, web pages including plugins, applets or other executable content, browser or application toolbars and extensions, etc. Some malicious active content can be automatically invoked to perform the intended malicious functions when a computer runs a program or application to render (e.g., open or read) the received content, such as a file or document. One such example includes the use of a macro embedded in a spreadsheet, where the macro is configured to be automatically executed to take control of the victimized computer upon the user opening the spreadsheet, without any additional action by the user. Active content used by hackers may also be invoked responsive to some other action taken by a user or computer process. The present disclosure is directed to solving problems rooted in the use of embedded active content generally, without regard to how the active content is invoked and executed.
Techniques have been implemented to mitigate the risks posed by active content embedded in electronic documents. One common data sanitization or content disarm and reconstruction (CDR) technique includes removing any detected forms of active content from a document or other received content before it is passed to an intended recipient or otherwise rendered. Similarly, instead of removing the active content, some known techniques change the active content in a way that renders it useless. While such a technique may be successful to prevent malicious functions resulting from execution of the active content, some enterprises may rely heavily on the useful functionality that is intended for non-malicious active content. Indeed, for some enterprises, spreadsheet application macros can provide significant benefits that should not be so indiscriminately discarded. Thus, for some enterprises the wholesale removal or destruction of any and all active content from received documents is not a satisfactory solution.
Other techniques include application-based solutions that include user-configurable settings or default settings within a rendering application that control how or whether active content in a document may be disarmed or otherwise prevented from executing. These solutions, however, may be difficult to configure and manage for an enterprise including many users, and moreover, also suffer from the similar difficulties to those described above in that some active content may be beneficial to the end user such that it is undesirable to categorically block all active content from execution. These solutions may also require cumbersome steps on the part of the user to override the default settings or otherwise enable the active content in order to reap the benefits of legitimate active content, an inconvenience that is not a satisfactory solution. Other application-based solutions are known to temporarily prevent the execution of any active content that may be embedded in a document. For example, Microsoft® includes a “protected view” feature in Word® that enables a user to open the document in a protected environment, such as a “sandbox,” to view only the passive content while macros and any other active content are disabled or prevented from executing. The “protected view” environment has limitations though in that a user is unable to edit the document unless he exits the protected environment. Upon doing so, however, the user may be exposed to malicious active content. The “protected view” feature may provide a warning to the user that exiting the “protected view” could expose the user to such risks, but such a warning is often ignored due to a need or desire to edit or otherwise interact with the document in a way that is not enabled in the protected view. The “protected view” is also vulnerable to social engineering tactics that encourage the user to exit the “protected view” to allegedly realize functionality of the active content, thus resulting in the execution of malicious active content. Thus, users may be unwittingly tricked into activating malicious active content despite such warnings.
While it may be beneficial to identify and prevent execution of only the active content that is known to pose malicious risks, in practice this is challenging and resource intensive and is still ineffective at identifying new forms of malicious content that has not yet been discovered as such. For example, common attempts to identify malicious content include screening incoming documents at a host computer or server based on a comparison with known malicious signatures. Such signature-based malware detection techniques, however, are incapable of identifying malicious active content for which a malicious signature has not yet been identified. Even known malicious active content can be slightly modified without much change in functionality thereby requiring a new signature to detect. Accordingly, it is generally not possible to identify new malicious content or subtle variations of existing malicious content using signature-based detection methods. Furthermore, in many cases, malicious active content is embedded in otherwise legitimate documents or files having proper structure and characteristics, and the malicious active content may also be disguised to hide the malicious nature of the active content, so that the malicious content appears to be innocuous. Thus, even upon inspection of a document according to known malware scanning techniques, it may be difficult to identify malicious active content.
Thus, there is a need for alternative techniques to mitigate the risks posed by malicious active content attacks without preventing the usability of embedded active content, and that also overcome at least some of the above disadvantages of known techniques.