[Clamav-users] handling encrypted pdf

Thu, 02 Dec 2010 05:39:03 -0800 

Hello,

I use clamavs option to mark encrypted archives as virus.
For policy reasons I like to handle password protected pdf
in the same was like password protected zip archive.

The intention is to categorize content, which is known to be passwordprotected
and therefore is known to be unscanable for virusscanners.
In this context it shouldn't matter if it's a password prozected archive
or pdf.

Thats why I wrote a little patch:

Index: dv-clamav-0.96.5/libclamav/pdf.c
===================================================================
--- dv-clamav-0.96.5.orig/libclamav/pdf.c       2010-12-02 13:21:02.000000000 
+0100
+++ dv-clamav-0.96.5/libclamav/pdf.c    2010-12-02 13:47:56.000000000 +0100
@@ -1087,6 +1087,12 @@
     }
     size -= offset;

+    if ((pdf.flags & (1 << ENCRYPTED_PDF)) && DETECT_ENCRYPTED) {
+        cli_dbgmsg("cli_pdf: Encrypted PDF found.\n");
+        *ctx->virname = "Encrypted.Pdf";
+        return CL_VIRUS;
+    }
+
     pdf.size = size;
     pdf.map = fmap_need_off(map, offset, size);
     pdf.startoff = offset;
--- snap

This lets clamav mark any pdf containing an "/Encrypt"
with a "virusname" Encrypted.Pdf.

But this patch is not perfect. A Pdf may be only protected against copy/paste 
or printing.
These Documents are also marked as Encrypted.Pdf which is false.

A detailed but outdated documentation about allowed operations I found in pdf.c 
itself.
http://www.cs.cmu.edu/~dst/Adobe/Gallery/anon21jul01-pdf-encryption.txt

Is any programmer able to implement a more correct Encryption detection?
Thanks.

-- 
Andreas Schulze
Internetdienste | P532

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to