Does SDLP provide a policy or ruleset that detects Encrypted PDF?
I created several encrypted PDF files using Adobe Acrobat Professional using a password.
I created several policies:
1. OOB Encrypted Content files.
2. Adobe PDF Filetype and File Extension *.pdf
3. File Extention *.pdf and exclude PDF Filetype
4. PDF Filetype and exclude extension *.pdf
5. Regex - "Encrypt\s\d{2,4}\s0\sR"
Which if the above do you think triggered the encrypted pdf file?
If you chose #3 you would be right. Apparently encrypted PDF files do not look like the PDF file types SDLP expects.
I would have expected 1 and 5 to work. So the very last thing I did was change the configuration of the detection server to allow looking at MarkupText specifically for the regex above. This did not impact the results.
Any ideas on how to improve or create a policy to detect encrypted PDF files?
Clear text samples from encrypted pdf:
%PDF-1.6
%24 0 obj
<</Linearized 1/L 10643/O 27/E 5529/N 1/T 10316/H [ 476 186]>>
endobj
32 0 obj
<</DecodeParms<</Columns 4/Predictor 12>>/Encrypt 25 0 R/Filter/FlateDecode/ID[<4C4B389AEFB7FF40AA71D9C858F67CB3><925078BCF3F84A43A21FACE0D06EB3E8>]/Index[24 17]/Info 23 0 R/Length 58/Prev 10317/Root 26 0 R/Size 41/Type/XRef/W[1 2 1]>>stream
and
%PDF-1.6
%1915 0 obj
<</Linearized 1/L 127174/O 1918/E 19539/N 10/T 126613/H [ 506 304]>>
endobj
1930 0 obj
<</DecodeParms<</Columns 4/Predictor 12>>/Encrypt 1916 0 R/Filter/FlateDecode/ID[<FE837F372922CB5CE51E2081A458E8F1><D65AC51B0E653E40B50CB23503CDD0B3>]/Index[1915 29]/Info 1914 0 R/Length 74/Prev 126614/Root 1917 0 R/Size 1944/Type/XRef/W[1 2 1]>>stream