This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Robert_Mueller
Collaborator
‎2019-03-13 04:50 AM
Jump to solution

PDF with a qualified electronic signature

Hi,

Is there a way that sandblast wont remove or ignore PDFs with a qualified electronic signature (compliant to EU Regulation No 910/2014).. At the moment the "Threat Extraction" removes the signature and recreates the PDF.. The best way will be if ThreatExtraction will bypass PDF with such a signature or wont think this is "evil"

0 Kudos
1 Solution

Accepted Solutions
Thomas_Eichelbu
Advisor
Advisor
‎2024-07-11 11:09 PM
In response to Thomas_Eichelbu
Jump to solution

Hello Team!

we finally solved that mystery. interesting is .. Check Point TE/TX solution is already capable of processing digitally signed emails!

there are three scenarios:
1. you send a digital singed email with an unsigned document in it. This will bypassed if you set "allow encrypted email" in the SmartConsole / Threat Prevention Profile / Threat Extraction / "Encrypted Allow"
but this can be dangerous because the attachment will just be bypassed. And not people do have a digital signature to signed their email!


2. you send a normal mail (unsigned) but the attachment with the email is digitally signed. you applied setting like it scenario 1.
The attachment will get processed by TX and destroyed.

 

3. You have a digital signed email and digital attachment. More or less scenario 1 strikes again and it a bypass regardless what kind of attchment you send! Highly dangerous in my eyes!

solution provided by TAC:
on all affected machines: Security GW (MTA) and Sandblast change this:

1. We need to change the values in both of these files:
* /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf
* /var/log/jail/opt/CPsuite-R81.10/fw1/conf/file_convert.conf

2. Please locate " ignore_signed_pdfs (0) , change the value, in both files to (1), save and exit the file.


3. Redirect PDF document to the sanitization engine in /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf:
...
:sanitization_engine_file_types (
: (docx)
: (doc)
: (docm)
: (xls)
: (xlsx)
: (xlsm)
: (rtf)
: (pdf) #add this line
)
) #EOF


4. fw kill scrubd

this has helped us to send digital signed emails in all scenarios and keep the digital signature.
what we did no achieve is to digitally sign a malicious PDF and send it through Sandblast appliance.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2019-03-16 09:36 PM
Jump to solution

If the signature is considered "active content" then Threat Extraction would definitely remove it. If you can provide a sample document (possibly through the TAC), someone can take a look at it.
0 Kudos
chrominek
Contributor
‎2022-06-08 02:07 AM
Jump to solution

After 3 years -have you received any answer form TAC? I have similar problems with signed pdf and active content, like fast save data. "Normal" signed pdfs are ok and unchanged, but signed pdfs with a various active content are sanitized, what is not bad, as long as the signed version is available "long enough" - but "long enough" is being defined individually by each user. So I'm excited to know if you have received any good solution from TAC.

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-04-25 12:09 AM
In response to chrominek
Jump to solution

Hello Folks, 

i have the same use case ...
digitally signed PDF are loosing their digital signed integrity and the digital signature is corrupted when PDF´s are passing through TE/TX.
Even when the setting on the Threat Prevention profile for encrypted mails are set to "Allow".


has somebody managed to get this running?

best regards

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-07-11 11:09 PM
In response to Thomas_Eichelbu
Jump to solution

Hello Team!

we finally solved that mystery. interesting is .. Check Point TE/TX solution is already capable of processing digitally signed emails!

there are three scenarios:
1. you send a digital singed email with an unsigned document in it. This will bypassed if you set "allow encrypted email" in the SmartConsole / Threat Prevention Profile / Threat Extraction / "Encrypted Allow"
but this can be dangerous because the attachment will just be bypassed. And not people do have a digital signature to signed their email!


2. you send a normal mail (unsigned) but the attachment with the email is digitally signed. you applied setting like it scenario 1.
The attachment will get processed by TX and destroyed.

 

3. You have a digital signed email and digital attachment. More or less scenario 1 strikes again and it a bypass regardless what kind of attchment you send! Highly dangerous in my eyes!

solution provided by TAC:
on all affected machines: Security GW (MTA) and Sandblast change this:

1. We need to change the values in both of these files:
* /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf
* /var/log/jail/opt/CPsuite-R81.10/fw1/conf/file_convert.conf

2. Please locate " ignore_signed_pdfs (0) , change the value, in both files to (1), save and exit the file.


3. Redirect PDF document to the sanitization engine in /var/opt/CPsuit-R81.10/fw1/conf/file_convert.conf:
...
:sanitization_engine_file_types (
: (docx)
: (doc)
: (docm)
: (xls)
: (xlsx)
: (xlsm)
: (rtf)
: (pdf) #add this line
)
) #EOF


4. fw kill scrubd

this has helped us to send digital signed emails in all scenarios and keep the digital signature.
what we did no achieve is to digitally sign a malicious PDF and send it through Sandblast appliance.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events