Video Screencast Help

Encrypted PDF Detection

Created: 31 Jul 2012 • Updated: 01 Aug 2012 | 5 comments
Daniel K.'s picture
This issue has been solved. See solution.

Does SDLP provide a policy or ruleset that detects Encrypted PDF?

I created several encrypted PDF files using Adobe Acrobat Professional using a password.

 

I created several policies:

1. OOB Encrypted Content files.

2. Adobe PDF Filetype and File Extension *.pdf

3. File Extention *.pdf and exclude PDF Filetype

4. PDF Filetype and exclude extension *.pdf

5. Regex - "Encrypt\s\d{2,4}\s0\sR"

Which if the above do you think triggered the encrypted pdf file?

If you chose #3 you would be right. Apparently encrypted PDF files do not look like the PDF file types SDLP expects.

I would have expected 1 and 5 to work.  So the very last thing I did was change the configuration of the detection server to allow looking at MarkupText specifically for the regex above. This did not impact the results.

 

Any ideas on how to improve or create a policy to detect encrypted PDF files?

 

Clear text samples from encrypted pdf:

%PDF-1.6
%24 0 obj
<</Linearized 1/L 10643/O 27/E 5529/N 1/T 10316/H [ 476 186]>>
endobj
                  
32 0 obj
<</DecodeParms<</Columns 4/Predictor 12>>/Encrypt 25 0 R/Filter/FlateDecode/ID[<4C4B389AEFB7FF40AA71D9C858F67CB3><925078BCF3F84A43A21FACE0D06EB3E8>]/Index[24 17]/Info 23 0 R/Length 58/Prev 10317/Root 26 0 R/Size 41/Type/XRef/W[1 2 1]>>stream
 

and

%PDF-1.6
%1915 0 obj
<</Linearized 1/L 127174/O 1918/E 19539/N 10/T 126613/H [ 506 304]>>
endobj
          
1930 0 obj
<</DecodeParms<</Columns 4/Predictor 12>>/Encrypt 1916 0 R/Filter/FlateDecode/ID[<FE837F372922CB5CE51E2081A458E8F1><D65AC51B0E653E40B50CB23503CDD0B3>]/Index[1915 29]/Info 1914 0 R/Length 74/Prev 126614/Root 1917 0 R/Size 1944/Type/XRef/W[1 2 1]>>stream

Comments 5 CommentsJump to latest comment

Keith Reynolds - ExchangeTek's picture

You could consider a Custom File Type rule.  See the Detection Customization Guide to see how to use the File Type Analyzer to create a custom script for specific file types. 

~Keith

SOLUTION
kishorilal1986's picture

Hi Daniel

You will need to use the Custom File Type Detection tool to identify the custom file type of the encrypted .zip or .rar file. Please see Symantec_DLP_11.0_Detection_Customization_Guide.pdf which gives you details on how to use the File Type Analyzer utility.

Vontu cannot detect password protected .zip files on the Endpoint during agent-based detection. Encrypted .zip file-type detection currently exists on the Endpoint Server.  The agent is incapable of detecting whether a .zip file is password protected and therefore reports is as a .zip file with no password protection. This is also true for Adobe .pdf files.

 

Regarsd

Kishorilal

Daniel K.'s picture

I like it.  There is a single properties configuration change that needs to be made to the server so that Custom File Types can be added to the rule creation screen.

I already have the pattern for the Encrypted PDF.  Wouldn't everyonr benefit from this script? 

It would be nice to have a file repository of shared scripts for mutual usage and testing.

Thanks for the idea, now I need to get ops to make the change to prod. Then I will test it out.

Daniel

ensweiler's picture

Does your pattern for Encrypted PDF differentiate between a "read-only" encrypted PDF and a PDF that cannot be opened due to encryption?

I completely agree to that repository of useful scripts would be helpful and (in the tool) a check box list for custom file types similar to how the built in file types can be selected.

Daniel K.'s picture

My goal is to generate PDF's in various manners to see if the magic byte is discernable for various capabilities such as read only or encrypted.  We also use tools like CutePDF and Adobe Acrobat Professional that might have additional capabilities.

I will gladly provide them once I get to it...