Fair enough. Thanks for the hard work as usual.
On Mon, May 22, 2017 at 2:16 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> >1. javascript scanning is intelligent, attempting to allow non-malicious
> javascript through.
>
> This is more a wish than it is reality
> - it will block the well known bad
> - it will let pass the known good (or those are not detected for any
> reason)
> - BUT - it will block all other JavaScripts, even they are innocent
>
> The time will show, how we can improve the JavaScript scanning.
>
> Thomas
>
>
>
>
>
> Von: K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 21.05.2017 17:29
> Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
> ------------------------------
>
>
>
> Thank you for that very detailed and informative additional explanation.
> Clears things up nicely.
> And that explains why my sample PDF with javascript is getting through: it
> just fills in a date into a field, nothing questionable.
>
> I suggest making a change to the AFC plugin documentation in the GUI to
> state that:
> 1. javascript scanning is intelligent, attempting to allow non-malicious
> javascript through.
> 2. That using the :PDF exception is not recommended as this will disable
> all PDF executable scanning. (leaving out the bit about false positives)
>
> Of note: when I try to do an analyze with that sample PDF's message file
> (the PDF with the basic javascript that I sent you), *ASSP crashes* -
> completely - the service needs to be started again. Win32. I've never
> seen that happen before. If I disable the AFC plugin, analyze works.
>
>
>
> On Sun, May 21, 2017 at 2:39 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> I did not get any attachment from you.
>
> >that would include anything in the PDF, CertPDF, JSPDF, and URIPDF
> category right?
>
> right
>
> :PDF switches all executable checks off for PDF files - it is NOT
> recommended to do this - because it will block any (possibly also regular)
> JavaScript defined using '/S/JavaScript/JS'
>
> >There seems to be a bit of a double negative in your above comments.
>
> yes - exe-bin is recommended - :PDF to exclude (1. not) pdf scans - this
> is not (2. not) recommended
> simple boolean operations should be not a problem for an IT prof :)
>
> :PDF is a backward comp. switch - "use the old behavior"
>
> >that would include anything in the PDF, CertPDF, JSPDF, and URIPDF
> category right?
>
> An stream object can be anything in a PDF. The adobe suites will not
> support to create other executable objects. But it is possible to do this.
> Hackers will never use an adobe product to create a virus in a PDF!.
>
> The nice ransomeware are doing the following for example:
>
> 1 2 obj
> stream <.... binary docm anyhow encoded and encrypted ...>
> endobj
> ....
> 10 11 obj
> /Type/Filespec/test.docm .....
> endobj
> ....
> 3 4 obj
> /EmbeddedFile/test.docm/ ......<</JavaScript. ..../OpenAction .. load the
> docm in the JavaScript
> endobj
>
> If you use an outdated pdf reader, the reader will call/do an OLE to
> ms-word at the PDF-Open request - DONE- buy some bitcoins or restore!
>
> A stream object <....> can be stored binary, hex encoded or octal -
> example hex:
>
> <41424344454647>
> which is 'ABCDEFG' - but abobe allows and ignores all white spaces
> included in this encoding. The following would be the same for the reader
> <41 4243 44 45 46 47
> >
>
> if more than 256 whitespaces are added, no antivirus will ever catch it.
>
> Because assp does not need to read or process the attachment as a PDF
> reader (in ASSP_AFC), it decodes all streams to binary and removes all
> whitespaces (at any length) - even the binary result will be not 100%
> correct.
> As long as I know, no antivirus ever decodes a PDF.
>
> The combination docm and OLE and JavaScript - this is relatve easy to
> find. But it is also possible to define an encrypted and encoded
> black/white (0/1) bitmap (picture), but instead to put executable code in
> it and to run this code as an open action.
> Encyption is also used in PDF to prevent printing a document - so there is
> no password requied to encrypt data in a PDF.
> I'm waiting for the first of those PDF files. The technology is known, but
> currently not used. How ever, JavaScript will be required to implement
> those viruses.We have a wappon - ASSP_AFC!
>
>
> ASSP_AFC tries to ignore innocent JavaScript. For example used in a
> formular field definition for verification.
> The stucture(s) that must be used to do malicous things in a PDF is known.
> ASSP_AFC is looking for those structures. For example: embedding any other
> executable code or use an URi to download those.
> PDF's are commonly used and seen as a very secure way to provide
> information. And for 99% or even more, this is true. Doing anything too
> strict, will lead in to a large amount of false positives and BIG
> complaints will got to the IT dep.
>
> The real problem is, that the adobe reader has enabled JavaScipt execution
> per default - blame on them. I recommend to disable JavaScript in all pdf
> readers. If a PDF contains JavaScript, the reader will warn the user, that
> the formular will not work unless it is enabled. But at this point, the
> user sees the PDF and knows where it comes from and if it is safe to allow
> JavaScript for this document.
>
>
> So, this PDF scan in ASSP_AFC is somehow different from the other
> executable scans. NOT: "look in to, find and block" - MORE: "look in to, be
> smart, find malicous content and block".
> To test this extenson, you need to try to do malicous things. Everything
> created with the adobe products should pass this check.
>
> I'm currently not sure if the ':CertPDF' switch is a nice one. It
> assumes, that an attacker will not sign the virus PDF. But if a PDF is
> signed, no action will be taken by the PDF reader, until the certificate is
> verfied.
>
> Thomas
>
>
>
>
>
>
> Von: K Post <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: ASSP development mailing list <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 21.05.2017 01:01
> Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
> ------------------------------
>
>
>
> Thank you Thomas. Question, you wrote:
>
> the following additionally exception switches are implemented:
>
> :PDF - adobe PDF file with embedded executable code or microsoft office
> macros files, JavaScript and bad URIs (NOT recommended to be used, false
> positives are expected)
> :CERTPDF - certificate signed adobe PDF file
> :JSPDF - adobe PDF file with JavaScript inside - notice: well known
> malicious JavaScript combinations will be blocked, even this option is
> defined
> :URIPDF - adobe PDF file with URIs to download exeutables from the web or
> to open local files
>
>
>
> I'm slightly confused by your red text though.. I take anything you
> suggest very seriously, especially so if it's in red. There seems to be a
> bit of a double negative in your above comments.
>
> If we just use exe-bin as a level 1 block, that would include anything in
> the PDF, CertPDF, JSPDF, and URIPDF category right? If we do exe-bin|:PDF
> that will block exe's but NOT those that are PDF files with embedded
> executable code or microsoft office macros files, JavaScript and bad URIs
> right? That seems to remove all of this new PDF blocking functionality or
> am I off base? Then you said in red that this is not recommended. I can't
> tell if you mean you recommend that we not use the :PDF exception (so don't
> so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best
> avoid false positives.
>
> that would include anything in the PDF, CertPDF, JSPDF, and URIPDF
> category right? Based on your description, clearly that's the case - and
> I'd think I would want to block them, but I can't figure out how to do that
> if you (might be) recommending that we do exe-bin|:PDF.
>
> I'm clearly confused....
>
> Thanks so much - this should make a big difference!
>
> Ken
>
>
>
> On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> published ASSP_AFC 4.50
>
> example results from the analyzer:
>
> * •* *URIBL check* <http://winsrv01:55555/#ValidateURIBL>: 'OK'
> * • † • SuspiciousVirus:
> Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'*
> * • attachment Invoice 07853327 05/17/2017.PDF is an executable *
> * •* *Not a Valid Format of HELO*
> <http://winsrv01:55555/#DoValidFormatHelo>: '[*42.113.108.55*]'
>
> the following additionally exception switches are implemented:
>
> :PDF - adobe PDF file with embedded executable code or microsoft office
> macros files, JavaScript and bad URIs (NOT recommended to be used, false
> positives are expected)
> :CERTPDF - certificate signed adobe PDF file
> :JSPDF - adobe PDF file with JavaScript inside - notice: well known
> malicious JavaScript combinations will be blocked, even this option is
> defined
> :URIPDF - adobe PDF file with URIs to download exeutables from the web or
> to open local files
>
> Thomas
>
>
> Von: Thomas Eckardt <*thomas.ecka...@thockar.com*
> <thomas.ecka...@thockar.com>>
> An: ASSP development mailing list <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 20.05.2017 07:17
> Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
> ------------------------------
>
>
>
> ASSP_AFC 4.48 was too weak
> ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the
> ':PDF' switch
>
> I'm just looking for a way to prevent false positives.
>
> Thomas
>
>
>
>
>
> Von: K Post <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: ASSP development mailing list <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 19.05.2017 16:28
> Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
> ------------------------------
>
>
>
> Here's a sample PDF with javascript that runs at startup (populates a
> field with the current date).
>
> On Fri, May 19, 2017 at 10:16 AM, K Post <
> *nntp.p...@gmail.com* <nntp.p...@gmail.com>> wrote:
> I tested with this new plugin installed and exe-bin blocking. This plugin
> now blocks all pdf's that have javascript embedded right? That's not what
> I experienced.
>
> I created a simple pdf with a button. That button's action was to run
> javascript to print the document. I emailed it to myself from gmail. It
> was received, not blocked.
>
> Am I missing something?
>
> On Fri, May 19, 2017 at 9:48 AM, K Post <
> *nntp.p...@gmail.com* <nntp.p...@gmail.com>> wrote:
> Thanks for this!!!
>
> On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> Hi all,
>
> I've just published ASSP_AFC.pm version 4.48 at SF-CVS.
>
>
> This version contains an extension to detect embedded executable code in
> real PDF files, if 'exe-bin' files are not allowed in the assp
> configuration.
>
>
> Currently detected are:
>
> - java script - most times this is requred by the virus to open and run
> any other embedded code
>
> - ms office macros
> - exe and com files
>
> - wsh files
>
> This extension is hard coded. There is no way to make an exception to
> (e.g) :PDF - like for :ELF, :CSC :MSOM ...... - because such files are
> every time malicious!
>
>
> Currently it seems, that another ransomware attack is starting in
> preparation for the weekend! Distributed are such real PDF files per email!
>
> I don't think that there will be a stupid 'killswitch' in the new viruses
> to save the world.
>
>
> I just saw that ClamAV (sanesecurity signatures) detected most of them -
> they all are classified as UNOFFICIAL !!!!.
>
>
> Thomas
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
> _________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
