topic Re: PDF with a qualified electronic signature in Firewall and Security Management

PDF with a qualified electronic signature

Robert_Mueller — Wed, 13 Mar 2019 11:50:27 GMT

Hi,

Is there a way that sandblast wont remove or ignore PDFs with a qualified electronic signature (compliant to EU Regulation No 910/2014).. At the moment the "Threat Extraction" removes the signature and recreates the PDF.. The best way will be if ThreatExtraction will bypass PDF with such a signature or wont think this is "evil"

Re: PDF with a qualified electronic signature

PhoneBoy — Sun, 17 Mar 2019 04:36:57 GMT

If the signature is considered "active content" then Threat Extraction would definitely remove it. If you can provide a sample document (possibly through the TAC), someone can take a look at it.

Re: PDF with a qualified electronic signature

chrominek — Wed, 08 Jun 2022 09:07:31 GMT

After 3 years -have you received any answer form TAC? I have similar problems with signed pdf and active content, like fast save data. "Normal" signed pdfs are ok and unchanged, but signed pdfs with a various active content are sanitized, what is not bad, as long as the signed version is available "long enough" - but "long enough" is being defined individually by each user. So I'm excited to know if you have received any good solution from TAC.

Re: PDF with a qualified electronic signature

Thomas_Eichelbu — Thu, 25 Apr 2024 07:09:27 GMT

Hello Folks,

i have the same use case ...
digitally signed PDF are loosing their digital signed integrity and the digital signature is corrupted when PDF´s are passing through TE/TX.
Even when the setting on the Threat Prevention profile for encrypted mails are set to "Allow".

has somebody managed to get this running?

best regards

Re: PDF with a qualified electronic signature

Thomas_Eichelbu — Fri, 12 Jul 2024 06:09:29 GMT

Hello Team!

we finally solved that mystery. interesting is .. Check Point TE/TX solution is already capable of processing digitally signed emails!

there are three scenarios:
1. you send a digital singed email with an unsigned document in it. This will bypassed if you set "allow encrypted email" in the SmartConsole / Threat Prevention Profile / Threat Extraction / "Encrypted Allow"
but this can be dangerous because the attachment will just be bypassed. And not people do have a digital signature to signed their email!

2. you send a normal mail (unsigned) but the attachment with the email is digitally signed. you applied setting like it scenario 1.
The attachment will get processed by TX and destroyed.

3. You have a digital signed email and digital attachment. More or less scenario 1 strikes again and it a bypass regardless what kind of attchment you send! Highly dangerous in my eyes!

solution provided by TAC:
on all affected machines: Security GW (MTA) and Sandblast change this:

1. We need to change the values in both of these files:
* /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf
* /var/log/jail/opt/CPsuite-R81.10/fw1/conf/file_convert.conf

2. Please locate " ignore_signed_pdfs (0) , change the value, in both files to (1), save and exit the file.

3. Redirect PDF document to the sanitization engine in /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf:
...
:sanitization_engine_file_types (
: (docx)
: (doc)
: (docm)
: (xls)
: (xlsx)
: (xlsm)
: (rtf)
: (pdf) #add this line
)
) #EOF

4. fw kill scrubd

this has helped us to send digital signed emails in all scenarios and keep the digital signature.
what we did no achieve is to digitally sign a malicious PDF and send it through Sandblast appliance.