Messaging Gateway

 View Only
Expand all | Collapse all

Disarm in pdf document

alexander smg

alexander smgSep 11, 2019 05:58 PM

alexander smg

alexander smgSep 13, 2019 01:41 AM

alexander smg

alexander smgSep 15, 2019 10:01 PM

alexander smg

alexander smgSep 19, 2019 03:09 PM

  • 1.  Disarm in pdf document

    Posted Sep 11, 2019 11:18 AM

    Hi pls.

    if i set disarm and pdf document have certificate signature, the certificate is removed. In disarm is selected pdf and checkbox javascript.  Is solution how deliver signed pdf document without changing if document not contain javascript ? If contain javascript java script is removed this is ok.....

    thanx



  • 2.  RE: Disarm in pdf document

    Posted Sep 11, 2019 05:58 PM
    Turn off disarm for pdf. Done.


  • 3.  RE: Disarm in pdf document

    Posted Sep 12, 2019 02:04 PM

    thank you, but we want remove javascript if exist in pdf....



  • 4.  RE: Disarm in pdf document

    Posted Sep 13, 2019 01:41 AM

    No u don't. See how that's causing u issues. 



  • 5.  RE: Disarm in pdf document

    Posted Sep 13, 2019 08:30 AM

    removing javascript works fine, that is ok,, Removing certificates from pdf with javascript is correct...

    trouble is with pdf without javascript....I do not know why SMG disarm this pdf....



  • 6.  RE: Disarm in pdf document

    Posted Sep 15, 2019 10:01 PM
    Stop the disarm service


  • 7.  RE: Disarm in pdf document

    Posted Sep 16, 2019 01:28 AM

    argghhh, ok is solution to remove javascript from pdf files, without remove signature in pdf without javascript ?

     



  • 8.  RE: Disarm in pdf document

    Posted Sep 16, 2019 06:07 AM
    That I don't know, but you can use a content filter for .js and then turn off disarm for pdf


  • 9.  RE: Disarm in pdf document
    Best Answer

    Broadcom Employee
    Posted Sep 17, 2019 05:03 PM

    Marek:  keep in mind what disarm really does:  given an object/document (in this case PDF) it tears apart the document and re-builds it, leaving out the potential attack vectors.  The protection it affords is via re-structuring and re-building the document, NOT by "searching" for malicious content based on some set of rules, or signatures.   This is how you get the "day zero" protection.

    With that in mind, now think about what you are asking for:  preserving the digital signature to a file that is significantly different than the one that was originally signed.  Even if this were possible (e.g. SMG had access to the signer's key), doing that would amount to "digital fraud", just as much as if I had a paper document notorized, or filed at the local courthouse, then modified it, post recording, and represented it as if it were the same as the notarized/recorded copy, it bypasses/subverts the whole point of the digitially signing a document in the first place.  ("I" composed and sent this message and take responsiblity for it's contents).

    I know this all comes across as "theory", and we all have more practical considerations (i.e. help-desk tickets of users complaining that things arrived "un-signed"), so might I suggest you open an enhancement request to add a "signing" or "proxy signing" feature to the SMG product? 

     



  • 10.  RE: Disarm in pdf document
    Best Answer

    Broadcom Employee
    Posted Sep 18, 2019 03:06 PM

    As a follow-up on my own post above, I found an outstanding article at

    https://web-in-security.blogspot.com/2019/02/how-to-spoof-pdf-signatures.html 

    which re-enforces the point I was trying to make above regarding "preserving" digitial signatures in content that has been altered.  While it is "do-able" (at least until vendors fix security flaws in their PDF viewers), it actually represents and attack vector and is NOT desirable behavior.  Hopefully you can use this information to convince your users.  Also, as I thought aobut this more, it occured to me that rather than asking for local/proxy sigining on the SMG, the feature you are really looking for might be a signature verification action in the policy engine.

    e.g:

    Email arrives with a "signed" PDF as an attachment.  Your policy logic might go something like:

    If (attachment is PDF && SIGNED ) then
        VALIDATE-SIGNATURE
            If SIG-IS-VALID
                DISARM-THE-PDF
                ANNOTATE indicating original PDF was signed and valid
                DELIVER normally
            Else
                Do something else <block/delete attachment whatever you like>
            endif
    endif

    Of course you would have to "translate" the above logic into something comprehensible by the policy UI, but you get the idea.

    You could apply the policy to "inbound" email.  For outbound (which we are assuming is "safe" so you don't disarm ) you can skip the whole thing.



  • 11.  RE: Disarm in pdf document

    Posted Sep 19, 2023 01:05 PM

    Just found this post as experience the same issue as Marek. I would expect the system would change the file only if it actually contains JavaScript and not perform any disarm if it doesn't. i.e. re-structuring and re-building the file only if we had selected to disarm JavaScript and the file actually contained JavaScript.




  • 12.  RE: Disarm in pdf document

    Broadcom Employee
    Posted Sep 19, 2023 03:52 PM

    Everyone still seems to be missing the point of Disarm:  it is NOT about Javascript, it is about re-building an object/file with the attack vectors removed.  It doesn't "filter" anything, it re-constructs the objects.  This is why it has been so successful in catching zero-day attacks that other technologies have missed, it is not "reactive" or dependant on content.   

    The idea of setting some indication that the signature was validated prior to reconstruction and adding a header to indicate that fact sounds interesting and worthy of some research on our part.




  • 13.  RE: Disarm in pdf document

    Posted Sep 19, 2023 04:38 PM
    Remember that any and all gateways can have the rare fault. It is a matter of knowing what truly is a threat and one that is a false positive. That is why I use a 2 stage approach. If the first gateway detects, usually the 2nd one in series won’t. However, sometimes the 1st gateway fails to detect and the 2nd gateway goes. An onion (layered gateway) defense is best.




  • 14.  RE: Disarm in pdf document

    Posted Sep 19, 2023 04:50 PM
    In our experience, the Disarm broke a lot of attachments to the point where they couldn’t even be opened anymore. It didn’t rebuild them properly after ripping out the potential attack vector components.




  • 15.  RE: Disarm in pdf document

    Posted Sep 19, 2023 05:14 PM
    Disarm is very nice. I do selectively disable it




  • 16.  RE: Disarm in pdf document

    Broadcom Employee
    Posted Sep 19, 2023 05:21 PM

    And in my experience, across the larger SMG community, it has been one the most successful and effective technologies from day one.  The primary/widespread issue we had was related to font removal for PDFs.  We provided education on how to avoid that problem, but we also provided an option to not strip the fonts. 

    As always, we try to make the most effective product we can, while providing as much flexibility as possible to adapt things for your individual needs.




  • 17.  RE: Disarm in pdf document

    Posted Sep 19, 2023 05:31 PM
    Disarm has caused some issues in the past




  • 18.  RE: Disarm in pdf document

    Posted Sep 19, 2023 06:14 PM
    Dunno… All I know we had lots of unhappy campers among our users who coulnd’t open some important files.




  • 19.  RE: Disarm in pdf document

    Posted Sep 19, 2023 06:18 PM
    Not always.




  • 20.  RE: Disarm in pdf document

    Posted Sep 19, 2019 03:09 PM
    Good info


  • 21.  RE: Disarm in pdf document

    Posted Sep 21, 2023 02:08 AM

    Hi All and thank you for your replies.

    Although I have disabled the Disarm function due to the issues we experienced with the digital signatures, I got your point and I totally agree it plays a major role in defending against malicious documents. However, I would still expect that instead of rebuilding any PDF it would scan PDFs for selected objects and remove them only in case such objects exist. Or at least having the user decide the behaviour. 




  • 22.  RE: Disarm in pdf document

    Posted Sep 21, 2023 03:08 AM
    Kick ****. That will save u trouble for sure? Thanks