Announcement

Collapse
No announcement yet.

Does sanitizing a pdf remove malware hidden in images?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Does sanitizing a pdf remove malware hidden in images?

    Does sanitizing a pdf remove malware hidden in images? For example, script code stored in EXIF data.

  • #2
    Hello there I have been doing some search regarding your question I found some answers relevant to it. Please check out the link below.

    https://security.stackexchange.com/q...cious-pdf-file

    This might be helpful to you.

    Comment


    • #3
      palekale, The sanitize document function in Foxit PhantomPDF would remove the following information from document:
      Metadata
      Embedded content and attached files
      Scripts
      Hidden layers
      Embedded search indexes
      Stored form data
      Review and comment data
      Hidden data from previous document saves
      Obscured text and images
      Comments hidden with the body of the PDF file
      Unreferenced data
      Links,actions and javascripts
      Overlapping objects

      So it could help to remove script codes in PDF file. For security considerations,we suggest you enable safe reading mode in Foxit PhantomPDF for controlling unauthorized actions(such as running Javacript functons) to efficiently avoid attacks from malicious documents. To enable safe reading mode in Foxit PhantomPDF,please go to "File" tab in Foxit PhantomPDF,click on "Preferences",check option "Enable Safe Reading Mode",click on "OK" button to save the setting.

      Comment


      • #4
        Lisa_lee That list isn't clear to me whether it can remove malware in images or not. When it says it removes metadata, does that include metadata in images? Metadata from what or where? Hidden layers in what or where? I guess what I'm asking is what Sanitize can and can't do.

        Comment


        • #5
          palekale ,
          Regarding the question "Sanitizing will remove Script code stored in EXIF ​​data?" you asked, we have confirmed it with our Dev team to know that sanitizing can only delete some scripts rather than all scripts in PDF document.
          For what kind of scripts would be deleted,it follows the following rules:
          1)Javacripts on which locations would be processed:Javacripts actions within Annot objects in PDF page, page-level's Javascript Actions in the PDF page, document-level's Javacript Actions in PDF file.
          2)Related dictionary item: /Type /Action /S /JavaScripts /JS
          3)Those specific locations for Javascripts that to be deleted are:
          A:Form->Document Javacript; (You could find them by clicking on "Form"tab in Foxit PhantomPDF>"JavaScript">"Document JavaScript").
          B:Form->Document Actions; (You could find them by clicking on on "Form"tab in Foxit PhantomPDF>"JavaScript">"Document Action").
          C:The Javascript actions within bookmarks;(You could find action in bookmark by right click on the bookmark which contains action,select "Properties" in the pop-up context menu to open Bookmark properties dialog box,click on "Actions" tab there).
          D:The Javascripts actions within page Annot object.

          Would you please help to give the Sanitizing function in our Foxit PhantomPDF a try to see whether those scripts which you expect to be deleted are deleted or not? If there are still some scripts preserved in PDF file,it is better if you could help to email us the PDF file sample to support@foxitsoftware.com (Attn:Lisa) and indicate this thread link,so that we will ask our Dev team to further check why those Javascripts are not deleted based on PDF file which you will send.

          With regard to the metadata to be deleted by Sanitizing function,it includes the contents which dictionary entries are '/Type /Metadata" and "/Info".
          For the contents which dictionary entry is "/Type /Metadata",they are some hidden information in PDF file which are not visible in PDF file directly.
          For the contents which dictionary entry is "/Info",they are following information in your document properties:
          Title,Subject,creator,Author,Producer,keywords,cus tom properties.
          (You could check document properties by clicking on "File"tab in Foxit PhantomPDF>"Properties">Description").

          For layers in PDF file,you could find them in layer panel in Foxit PhantomPDF. When you perform "Sanitize Document" in PDF file,those layers will all be flatten into file's content layer which makes no layer retained anymore under layer panel.
          Related dictionary item: /Type /OCG

          Comment

          Working...
          X