Solved: Re: PDF with a qualified electronic signature

Robert_Mueller · ‎2019-03-13

Hi,

Is there a way that sandblast wont remove or ignore PDFs with a qualified electronic signature (compliant to EU Regulation No 910/2014).. At the moment the "Threat Extraction" removes the signature and recreates the PDF.. The best way will be if ThreatExtraction will bypass PDF with such a signature or wont think this is "evil"

Thomas_Eichelbu

Hello Team!

we finally solved that mystery. interesting is .. Check Point TE/TX solution is already capable of processing digitally signed emails!

there are three scenarios:
1. you send a digital singed email with an unsigned document in it. This will bypassed if you set "allow encrypted email" in the SmartConsole / Threat Prevention Profile / Threat Extraction / "Encrypted Allow"
but this can be dangerous because the attachment will just be bypassed. And not people do have a digital signature to signed their email!

2. you send a normal mail (unsigned) but the attachment with the email is digitally signed. you applied setting like it scenario 1.
The attachment will get processed by TX and destroyed.

3. You have a digital signed email and digital attachment. More or less scenario 1 strikes again and it a bypass regardless what kind of attchment you send! Highly dangerous in my eyes!

solution provided by TAC:
on all affected machines: Security GW (MTA) and Sandblast change this:

1. We need to change the values in both of these files:
* /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf
* /var/log/jail/opt/CPsuite-R81.10/fw1/conf/file_convert.conf

2. Please locate " ignore_signed_pdfs (0) , change the value, in both files to (1), save and exit the file.

3. Redirect PDF document to the sanitization engine in /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf:
...
:sanitization_engine_file_types (
: (docx)
: (doc)
: (docm)
: (xls)
: (xlsx)
: (xlsm)
: (rtf)
: (pdf) #add this line
)
) #EOF

4. fw kill scrubd

this has helped us to send digital signed emails in all scenarios and keep the digital signature.
what we did no achieve is to digitally sign a malicious PDF and send it through Sandblast appliance.

View solution in original post

PhoneBoy · ‎2019-03-16

If the signature is considered "active content" then Threat Extraction would definitely remove it. If you can provide a sample document (possibly through the TAC), someone can take a look at it.

chrominek · ‎2022-06-08

After 3 years -have you received any answer form TAC? I have similar problems with signed pdf and active content, like fast save data. "Normal" signed pdfs are ok and unchanged, but signed pdfs with a various active content are sanitized, what is not bad, as long as the signed version is available "long enough" - but "long enough" is being defined individually by each user. So I'm excited to know if you have received any good solution from TAC.

Thomas_Eichelbu · ‎2024-04-25

Hello Folks,

i have the same use case ...
digitally signed PDF are loosing their digital signed integrity and the digital signature is corrupted when PDF´s are passing through TE/TX.
Even when the setting on the Threat Prevention profile for encrypted mails are set to "Allow".

has somebody managed to get this running?

best regards

Thomas_Eichelbu

Hello Team!

we finally solved that mystery. interesting is .. Check Point TE/TX solution is already capable of processing digitally signed emails!

there are three scenarios:
1. you send a digital singed email with an unsigned document in it. This will bypassed if you set "allow encrypted email" in the SmartConsole / Threat Prevention Profile / Threat Extraction / "Encrypted Allow"
but this can be dangerous because the attachment will just be bypassed. And not people do have a digital signature to signed their email!

2. you send a normal mail (unsigned) but the attachment with the email is digitally signed. you applied setting like it scenario 1.
The attachment will get processed by TX and destroyed.

3. You have a digital signed email and digital attachment. More or less scenario 1 strikes again and it a bypass regardless what kind of attchment you send! Highly dangerous in my eyes!

solution provided by TAC:
on all affected machines: Security GW (MTA) and Sandblast change this:

1. We need to change the values in both of these files:
* /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf
* /var/log/jail/opt/CPsuite-R81.10/fw1/conf/file_convert.conf

2. Please locate " ignore_signed_pdfs (0) , change the value, in both files to (1), save and exit the file.

3. Redirect PDF document to the sanitization engine in /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf:
...
:sanitization_engine_file_types (
: (docx)
: (doc)
: (docm)
: (xls)
: (xlsx)
: (xlsm)
: (rtf)
: (pdf) #add this line
)
) #EOF

4. fw kill scrubd

this has helped us to send digital signed emails in all scenarios and keep the digital signature.
what we did no achieve is to digitally sign a malicious PDF and send it through Sandblast appliance.

Are you a member of CheckMates?

PDF with a qualified electronic signature