Difference between "remove active content" and "content disarm and reconstruction"

FisherManFriend · ‎03-31-2023

Hey everyone,

In our log we always have different entries concerning the content, either "remove active content" or "content disarm and reconstruction".
What are the differences here? Do these entries both come from the content profile or is there another origin?

gfleming · ‎03-31-2023

Sounds like they are both related to the CDR function. It could be based on different actions being taken (such as links being removed from a PDF vs attachment scanning from SandBox)

Can you paste the actual log messages so we can help you better?

Cheers,
Graham

FisherManFriend · ‎04-03-2023

Hey Graham,

Thank you for your reply.

These are the two different cases in the log:

Content disarm and reconstruction always applies when it concerns a file. Mostly FortiMail classified it as Attachment Filter.

With remove content, unfortunately it is never specified exactly why, only that he has removed the active content.

Thank you in advance!

Jannick

gfleming · ‎04-03-2023

Without seeing the raw logs themselves I will take a hunch that the "remove active content" is the log message stating that CDR is removing clickable URLs from email messages.

Can you reference the raw logs with the Classifiers referenced here: https://docs.fortinet.com/document/fortimail/7.0.0/log-reference/47449/log-message-dispositions-and-...

Might help narrow down what you're looking at.

Cheers,
Graham