Page 1 of 1

Encrypted PDFs

Posted: Tue May 01, 2018 1:46 pm
by mhammett
I've seen the posts about how to allow them all or deny them all.
I've also seen how to allow them through one-by-one after the fact.

When can we see Zimbra add a bit better UI on how to whitelist particular senders with regards to encrypted PDFs? Things like paystubs are sent as encrypted PDFs. I've seen other systems send legitimate e-mail that's an encrypted PDF. Obviously, you can't just whitelist all encrypted PDFs because some are malware.

Back to manually pushing through ones that have already been blocked...

Re: Encrypted PDFs

Posted: Mon May 06, 2019 11:19 pm
by mhammett
Is anyone other than crickets in here?

Re: Encrypted PDFs

Posted: Sun May 12, 2019 8:12 pm
by Jordack Is where you should place a feature request.

I have not seen any feature requests for it so not sure you will see,the feature anytime soon :(

Re: Encrypted PDFs

Posted: Mon May 13, 2019 4:41 am
by JDunphy
I think what you want is this virus_name_to_spam_score_maps ... This would allow you to score this in SA and provide that flexibility.

Anything matching would be sent on to SA where you could look at X-Amavis-AV-Status to see if that was an encrypted pdf... then create a meta rule to allow your senders through... else score it to non deliverable.

Re: Encrypted PDFs

Posted: Wed Jan 29, 2020 6:20 pm
by JDunphy
I thought I would share my solution since I have a new mobile app that likes to encrypt pdf's and I wasn't going to keep releasing it from quarantine. While the newer clamav updated with 8.7.11.p14 has the concept of encrypted docs vs encrypted archives, that isn't enough granularity when you just want to allow encrypted pdf's through to SA for scoring. My Solution was to do the following:

1. Add the following to your

Code: Select all

header J_ENCR_PDF  X-Amavis-AV-Status =~ m{Heuristics\.Encrypted\.PDF}i
score J_ENCR_PDF  0.1
describe J_ENCR_PDF Allow encrypted pdf's through

2. Modify: /opt/zimbra/common/sbin/amavisd and add the single line with the comment #JAD

Code: Select all

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters, first match wins
    [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 0.1 ],
    [ qr'^(Heuristics\.)?Phishing\.'                       => 0.1 ],
    [ qr'^Heuristics\.Encrypted\.PDF'                      => 0.1 ], #JAD
    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 0.1 ],

Warning: you need to remember to check /opt/zimbra/common/sbin/amavisd that your entry is still here after updating or patches to Zimbra as we are modifying amavisd directly. Unfortunately, this specific solution doesn't appear to have been resolved with various open bugs over the years so I don't have a cleaner way to do this that is supported by zimbra other than all or nothing for encrypted archives (tell me if you know a better way for just PDF's)... Bug 67317 and Bug 67317 being the more recent requests.

The good news is that now that SA is involved with scoring for encrypted pdf's messages, one can do this on a more restrictive basis such as per user or domain, whitelisting, etc, etc. You also get some benefit by allowing your scoring model to have a go at it. Modify the SA score if you feel that allowing encrypted pdf's should count higher with your spam model.