-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pdf with "pseudo" encryption #1196
Comments
I belive this object means, that the KEY is saved in the PDF file... 36 0 obj endobj |
Hi, Thank you for the notifying us about this, and I am sorry for the delay in responding to you. In looking at our metadata, this file is recognizing that there is an encrypted image that is decryptable, but appears to be being extracted without being decrypted. According to pdfimages, this image is of type portable pixmap (ppm). I am opening a ticket internally to track this issue, and get it scheduled for the future. We'll udpate this issue when it is scheduled. If you could provide some of your other samples, we would appreciate it. Thanks, |
hallo andy, attached some more samples. ce2kg7bptpo7e.pdf this are of course unwanted spam-pdf. But there are also serious PDFs, which has this "pseudo-encrytion", br johannes |
hello, now i can tell you more about this, encryption is done when you protect the PDF e.g. for not-printable. see samples attached 1.pdf 1.pdf => without encryption can be easiely created with pdftk on linux: br johannes |
That's great, thank you for the samples, and instructions on where this is coming from. We have some other pdf tasks planned, so hopefully we can get this addressed as part of that work. Thanks, |
btw: also very interesting is that: clamscan.exe --alert-encrypted=yes *pdf 1.pdf: OK so clamav already detects a difference between 2+3.pdf... |
I haven't had a chance to play with the new files yet, but I would imagine 3.pdf would not have 'decrpytable' in the json output. |
Just checked. 2.pdf is decryptable, 3.pdf is not. |
hello Andy, i now also checked, clamav 1.30 LibClamAV debug: cli_pdf: U: : a95f5a7083f9fb99bb158fcd70e503db00000000000000000000000000000000 when i do --leave-temps=yes with 1.pdf there i see the "hello world" object in the tempfiles. but with 2.pdf the extractred tempfiles are all still encrypted ... and so useless. i've now also tested and PDF with an image. the unencrypted file was marked as infected after that. clamav was telling me "decyptable", but did not mark the file as infected. so maybe clamav is maybe able the deccypt it, but does not use the unencrypted parts for some reason? br johannes |
I think the 'LibClamAV debug: check_owner_password: Unknown or unsupported encryption version. R: 3' is the problem. When that statement is printed in our pdf parser, it does not attempt to decrypt that block, but the decryptable flag is printed because we should be able to decrypt. We have some other planned work to do on the pdf parser, so hopefully we can get this implemented as part of that. Thank you for digging into this! |
i have a lot of differnt samples here, but a lot of them contains bussiness data, but if there is some beta version to test, please let me know... well anyway if the file has an encryption, like 2.pdf, because maybe there are also other encryptions, which clamav fails to decrypt can you also think about this? |
btw: if you think this is the problem: this should be fixable easily, if revision 4 is already working? there are some jobs aditional jobs do to br johannes |
Unfortunately, we have a few other high-priority tasks that we need to address before we can get started on this. There is some other PDF work we need to do, so we plan on fixing this as part of that work. I'll definitely let you know when there is something to test on your other samples. Andy |
hello,
tested also with the latest release (1.3.0)
see attached PDF as sample, i have a lot of samples like this.
52n31op9ob2on.pdf
in this case the PDF is encrypted, but does not ask for a password an all images are visable by any pdf-viewer,
so some object are encrypted, but no special password is necessary to decrypt.
clamav is extracting every object of the PDF, but they are still encrypted, to useless to find anything usefill inside.
you can see the object with "clamscan --debug --leave-temps=yes --tempdir=1.tmp ..."
so of course clamav should also decrypt this files in order to scan the parts...
br johannes
The text was updated successfully, but these errors were encountered: