On Thu, 2 Dec 2010 14:32:52 +0100
Andreas Schulze <andreas.schu...@datev.de> wrote:
> Hello,
>
> I use clamavs option to mark encrypted archives as virus.
> For policy reasons I like to handle password protected pdf
> in the same was like password protected zip archive.
>
> The intention is to categorize content, which is known to be
> passwordprotected and therefore is known to be unscanable for
> virusscanners. In this context it shouldn't matter if it's a password
> prozected archive or pdf.
>
> Thats why I wrote a little patch:
>
> Index: dv-clamav-0.96.5/libclamav/pdf.c
> ===================================================================
> --- dv-clamav-0.96.5.orig/libclamav/pdf.c 2010-12-02
> 13:21:02.000000000 +0100 +++ dv-clamav-0.96.5/libclamav/pdf.c
> 2010-12-02 13:47:56.000000000 +0100 @@ -1087,6 +1087,12 @@
> }
> size -= offset;
>
> + if ((pdf.flags & (1 << ENCRYPTED_PDF)) && DETECT_ENCRYPTED) {
> + cli_dbgmsg("cli_pdf: Encrypted PDF found.\n");
> + *ctx->virname = "Encrypted.Pdf";
> + return CL_VIRUS;
> + }
> +
> pdf.size = size;
> pdf.map = fmap_need_off(map, offset, size);
> pdf.startoff = offset;
> --- snap
>
> This lets clamav mark any pdf containing an "/Encrypt"
> with a "virusname" Encrypted.Pdf.
>
> But this patch is not perfect. A Pdf may be only protected against
> copy/paste or printing. These Documents are also marked as
> Encrypted.Pdf which is false.
In this case the contents is still stored as encrypted, but the
decryption key is in the file itself (or at least all info needed to
decrypt). The copy/paste/print protection is merely a flag in the
reader.
To allow ClamAV to scan that we'd need to implement the
decryption though, right now we can only match on the encrypted data.
>
> A detailed but outdated documentation about allowed operations I
> found in pdf.c itself.
> http://www.cs.cmu.edu/~dst/Adobe/Gallery/anon21jul01-pdf-encryption.txt
>
> Is any programmer able to implement a more correct Encryption
> detection?
I think we could have another flag that tells you whether the
PDF cannot be decrypted using only the info stored in the file,
according to that article you linked to that is when both user and
owner passwords are set.
Can you open the bug, and attach some pdfs (that you created yourself
perhaps):
- a few that are encrypted with copy, paste, print protection, null
passwords
- a few that are encrypted, with user password set
- a few that are encrypted, with owner password set, and user password
not set
- a few that are encrypted, with both owner password set, and user
passwords set (if I understood correctly, these are the ones you
want to detect)
- some other combination you think might be useful
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
