Messaging Gateway Disarm “PDF Other” Statistic

book

Article ID: 159378

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

  1. You are using Symantec Messaging Gateway 10.5 with Disarm policy enabled. 
  2. You send a PDF and it has trrigered Disarm policy.
  3. In Message audit logs, you can see that Disarm policy is applied as verdict, and in details you will see in details  /top-level-msg/your.pdf -> Other
  4. You want to know what is removed from PDF as "other"
  5. You can also see in Dashboard under threats number has increased for Disarm messages.
  6. In reports, you can also see Disarm applied to email message with disarm content type "Other"

Cause

Detailed explanantion of "other" is provided below in Solution

So basically we have removed some unused objects from PDF, which can be used to hide protential malicious content (PMC). Which we cannot categorise as 3D Components,Embedded Files and Attachments,Flash,Trailer Information,Javascript,Launch,XFA (and its Javascript) or Fullscreen.

And that is why we have listed them as "others". this doesn't mean that we find any malicious content inside the file, but we have remove objects that has a potential to carry malicious content.

Removing those objects will not cause any damage to your PDF or the way it is displayed or any changes to print properties.

Resolution

Disarm’s “PDF Other” Statistic

 A PDF document is composed of a number of objects – ranging from tens to thousands of them – connected in a well-defined manner.  A file that stores a PDF document may contain objects that are not connected to any object that is part of the document.  These objects are not interpreted by the viewing application and are not displayed on the screen or printed on the paper. 

 There are legitimate reasons why such objects might exist in a PDF file.  For instance, new document versions may add new content objects without removing the older ones, which are overridden and disconnected from the other objects.  However, it is possible to add objects containing arbitrary data to a PDF file and disconnected from all other objects so that they do not affect the document.  This can allow attackers to embed an arbitrary payload in any PDF document without being noticed by traditional firewalls and anti-virus scanners.  The ordering of objects in a PDF file has no correlation with how they are connected to each other, which is determined by the data structures contained within the objects themselves.  So, a change in the ordering of the objects, without changing their content, does not really affect the overall behavior of a document. 

 When a malicious PDF is created by an attacker, it usually contains a payload distributed across one or more objects.  The objects are usually stream objects that allow the embedding of binary data.  Disarm analyzes the objects and their connections with other objects in the document, and when applicable, takes one of the following actions:

1.       Remove: If an object is unused, i.e. it is disconnected from the objects that are part of the document, then it is removed from the file.  Objects that are connected only to the unused objects are also removed.  Removal of such unused objects does not affect the visual fidelity of the document in any way.

2.       Reconstruct: If an object is used, i.e. connected to at least one of the objects that is used, then it is analyzed for the presence of potentially malicious objects within it, which are removed if found.  Sometimes such modification may result in more objects getting disconnected (unused), so they are removed too.

3.       Reorder: All the objects that are used are then reordered without affecting their connectivity.  This thwarts certain kinds of attacks that need objects to be present in a particular order.

                                                                                                             

 Figure 1.  A PDF document is composed of four main parts: header, body, cross-reference table, and trailer.  The trailer and cross-reference table are used to locate all the relevant objects within the document.  When one or more objects are removed or reordered, their corresponding entries, if present, are also removed or modified respectively.

 All the operations discussed above are part of the basic PDF reconstruction and are carried out every time a PDF document is Disarmed.  None of these objects are known to be potentially malicious, since they are unused by and disconnected from the document and may or may not be related to any other potentially malicious components.  This technique enables us to remove or perturb various types of potential zero-day exploit payloads; however, this transformation alone does not indicate the presence of any potentially malicious components in a document.  In other words, it is advisable to carry out these transformations to preclude many types of malicious payload, but they will transform every PDF document, and that does not indicate the presence of malicious components in each such document

If customer require further information you can use whitepaper from Symantec TECH211412.


Attachments