Video Screencast Help

Encrypted PDF Detection

Created: 31 Jul 2012 • Updated: 01 Aug 2012 | 5 comments
Daniel K.'s picture
This issue has been solved. See solution.

Does SDLP provide a policy or ruleset that detects Encrypted PDF?

I created several encrypted PDF files using Adobe Acrobat Professional using a password.

I created several policies:

1. OOB Encrypted Content files.

2. Adobe PDF Filetype and File Extension *.pdf

3. File Extention *.pdf and exclude PDF Filetype

4. PDF Filetype and exclude extension *.pdf

5. Regex - "Encrypt\s\d{2,4}\s0\sR"

Which if the above do you think triggered the encrypted pdf file?

If you chose #3 you would be right. Apparently encrypted PDF files do not look like the PDF file types SDLP expects.

I would have expected 1 and 5 to work.  So the very last thing I did was change the configuration of the detection server to allow looking at MarkupText specifically for the regex above. This did not impact the results.

Any ideas on how to improve or create a policy to detect encrypted PDF files?

Clear text samples from encrypted pdf:

%24 0 obj
<</Linearized 1/L 10643/O 27/E 5529/N 1/T 10316/H [ 476 186]>>
32 0 obj
<</DecodeParms<</Columns 4/Predictor 12>>/Encrypt 25 0 R/Filter/FlateDecode/ID[<4C4B389AEFB7FF40AA71D9C858F67CB3><925078BCF3F84A43A21FACE0D06EB3E8>]/Index[24 17]/Info 23 0 R/Length 58/Prev 10317/Root 26 0 R/Size 41/Type/XRef/W[1 2 1]>>stream


%1915 0 obj
<</Linearized 1/L 127174/O 1918/E 19539/N 10/T 126613/H [ 506 304]>>
1930 0 obj
<</DecodeParms<</Columns 4/Predictor 12>>/Encrypt 1916 0 R/Filter/FlateDecode/ID[<FE837F372922CB5CE51E2081A458E8F1><D65AC51B0E653E40B50CB23503CDD0B3>]/Index[1915 29]/Info 1914 0 R/Length 74/Prev 126614/Root 1917 0 R/Size 1944/Type/XRef/W[1 2 1]>>stream

Comments 5 CommentsJump to latest comment

Keith Reynolds - ExchangeTek's picture

You could consider a Custom File Type rule.  See the Detection Customization Guide to see how to use the File Type Analyzer to create a custom script for specific file types. 


kishorilal1986's picture

Hi Daniel

You will need to use the Custom File Type Detection tool to identify the custom file type of the encrypted .zip or .rar file. Please see Symantec_DLP_11.0_Detection_Customization_Guide.pdf which gives you details on how to use the File Type Analyzer utility.

Vontu cannot detect password protected .zip files on the Endpoint during agent-based detection. Encrypted .zip file-type detection currently exists on the Endpoint Server.  The agent is incapable of detecting whether a .zip file is password protected and therefore reports is as a .zip file with no password protection. This is also true for Adobe .pdf files.



Daniel K.'s picture

I like it.  There is a single properties configuration change that needs to be made to the server so that Custom File Types can be added to the rule creation screen.

I already have the pattern for the Encrypted PDF.  Wouldn't everyonr benefit from this script? 

It would be nice to have a file repository of shared scripts for mutual usage and testing.

Thanks for the idea, now I need to get ops to make the change to prod. Then I will test it out.


ensweiler's picture

Does your pattern for Encrypted PDF differentiate between a "read-only" encrypted PDF and a PDF that cannot be opened due to encryption?

I completely agree to that repository of useful scripts would be helpful and (in the tool) a check box list for custom file types similar to how the built in file types can be selected.

Daniel K.'s picture

My goal is to generate PDF's in various manners to see if the magic byte is discernable for various capabilities such as read only or encrypted.  We also use tools like CutePDF and Adobe Acrobat Professional that might have additional capabilities.

I will gladly provide them once I get to it...