Making Pdf's a safe email attachment to open

Support for network administrators. for software deployment and management through Active Directory Group Policies.

Moderators: TrackerSupp-Daniel, Tracker Support, Vasyl-Tracker Dev Team, Chris - Tracker Supp, Sean - Tracker, Tracker Supp-Stefan

Post Reply
dalacor
User
Posts: 26
Joined: Thu Sep 01, 2016 9:04 am

Making Pdf's a safe email attachment to open

Post by dalacor »

Whilst reviewing our Cyber Security measures, I wanted to see if I can address the problem of having to allow pdf as a whitelisted attachment - because everyone uses it - with the downside that pdf's have now become the macro equivalent of word - with all the associated malware concerns.

I have already disabled macros on our mail server, so people can no longer send word/excel documents containing macros. I presume that this would also block macros contained within Pdfs?

I see that Xchange Editor has the ability to disable Javascript, which would increase the security of Pdf's. However, I cannot find any information on what impact it would have to turn off Javascript? How would it affect viewing pdf's and what functionality would be lost?

Is there anything else that can be set in Pdf Xchange Editor that would make pdf's safer? I am not sure if disabling Javascript would disable all malware concerns?

What reg key do I need to set to disable javascript in Xchange Editor? Is there a way to allow Javascript for specific documents? I assume that 99% of the pdf's do not just Javascript as invoices are the main use of Pdf via email nowadays. Those should not contain Javascript. But there will be a couple that will need Javascript.
User avatar
Chris - Tracker Supp
Site Admin
Posts: 795
Joined: Tue Apr 14, 2009 11:33 pm

Re: Making Pdf's a safe email attachment to open

Post by Chris - Tracker Supp »

Hi dalacor,

All the advanced security features for the Editor can be found in the File->Preferences

You can disable Javascript in the Javasctipt Category
Javascript-Options.png

I know that some Fillable Forms fields that include javascript would be impacted by disabling the Javascript actions.


Advanced Security Features are found in the Security Options
Security-Options.png


Hope that helps, let us know if you have any further questions
If posting files to this forum - you must archive the files to a ZIP, RAR or 7z file or they will not be uploaded - thank you.


Chris Attrell
Tracker Sales & Support North America
http://www.tracker-software.com
dalacor
User
Posts: 26
Joined: Thu Sep 01, 2016 9:04 am

Re: Making Pdf's a safe email attachment to open

Post by dalacor »

Hi Chris,

Thank you for responding. For some reason, I did not get any email notification that there was a reply. Sorry for the late response.

What I was actually looking for and found was something like this - https://admx.help/?Category=PDF-XChange%20Editor&Policy=TrackerSoftware.PDFXEditor.Policies::Policy_JavaScript_EnableConsole

I have used that to set the javascript for all users on the network.

What I have not been able to do is set the security settings as the registry entries don't seem to apply to Pdf Xchange Editor any more.

https://admx.help/?Category=PDF-XChange%20Editor&Policy=TrackerSoftware.PDFXEditor.Policies::Policy_OpenFilePerm

I am aware that some, but not all fillable form fields require Javascript. I will have to test what.

Thank you
Robert
User avatar
Paul - Tracker Supp
Site Admin
Posts: 6813
Joined: Wed Mar 25, 2009 10:37 pm
Location: Chemainus, Canada
Contact:

Re: Making Pdf's a safe email attachment to open

Post by Paul - Tracker Supp »

Hi dalacor

I had no idea out Templates are on https://admx.help/. That's cool. I have used that site for Microsoft policies and never thought to look for ours.

You can find our documentation of them here: https://help.pdf-xchange.com/sysad ... icies.html

The latest template files are here: https://www.pdf-xchange.com/Tracke ... plates.zip
What I have not been able to do is set the security settings as the registry entries don't seem to apply to Pdf Xchange Editor any more.
What specific policies are failing? If you use the template files linked to above they should work. If any do not I would be keen to hear and investigate.
Best regards

Paul O'Rorke
Tracker Support North America
http://www.tracker-software.com
dalacor
User
Posts: 26
Joined: Thu Sep 01, 2016 9:04 am

Re: Making Pdf's a safe email attachment to open

Post by dalacor »

I have updated my profile, so hopefully I will get an email notification when this topic is updated. I had assumed this was the default.

I have done more work on this issue today as I need to get this implemented. I have discovered that the problem was not the settings. If you apply those settings to the registry, they do work (or at least what I can test).

There is a bug however:

When you apply the registry setting for disabling Javascript and reboot the computer. You will see Javascript disabled in Xchange editor Preferences Javascript, as the box will not be ticked! This is correct.

If you disable opening files, attachments or urls in the registry, the deny setting is applied to Xchange Editor, however, the security preferences settings view in Xchange Editor shows the default settings of Use Trusted, making it appear as if the settings have not been applied. Could this be addressed because the preferences settings view should show the policies that have applied via regedit. The pdf is blocking urls etc, but the preferences setting is showing use trusted/untrusted list.

I can now disable Javascript, opening urls and opening file links using the registry. However either this setting is not working "i.OpenEmbedPerm" or I am not understanding what is being blocked by embedfiles. I disabled embed files, then created a new pdf and went to comment tab and added a sound file. Saved file. I can still play this file, even though I have disabled embedfiles!

This might be down to the fact that the preferences security tab shows options for opening files, attachments and sites. No mention of embedded files.

Essentially the goal I want to achieve is to prevent pdf's being used to transmit malware as bad actors are increasingly resorting to using "safe" email attachments like pdf's to smuggle malware by using links or files (attached or embedded) within the pdf.

If I disable Javascript in pdf's, will this also disable Javascript interactive console? Do I need to disable interactive Console as I just want to block malware from bad actors.
User avatar
Paul - Tracker Supp
Site Admin
Posts: 6813
Joined: Wed Mar 25, 2009 10:37 pm
Location: Chemainus, Canada
Contact:

Re: Making Pdf's a safe email attachment to open

Post by Paul - Tracker Supp »

Hi Dalacor,

thanks for doing this and reporting it. I can confirm that the policy i.OpenEmbedPerm when set to Deny (0) should pop a message and not open the file but it does not, instead it does open the file.

This is a bug and we will squash it. You should see something similar to the i.OpenFilePerm behaviour when set to Deny (0):
image.png
The Policy settings should be reflected in the Editor Preferences, so we will fix that also.
This might be down to the fact that the preferences security tab shows options for opening files, attachments and sites. No mention of embedded files.
While it is true that the policy applies only to opening the files, after you add it, with the policy in place you shouldn't actually be able to open it. That is a consequence of the bug you reported.
If I disable Javascript in pdf's, will this also disable Javascript interactive console?
No, it will not. They are discrete and separate. Set b.EnableConsole to (0) to disable that.
image(1).png
Do I need to disable interactive Console as I just want to block malware from bad actors.
This essentially comes down to how secure your physical environment. The only way for the interactive console to be used is via an Editor session. So unless you anticipate the Bad Actors having access to type malicious code at the console then it should be safe. If you do have that risk, I would suggest this policy is the last of your concerns, but technically it can still be used to run JavaScript, so maybe disable it just to be prudent.

I have raised a formal Support ticket around the issue with the embedded files opening when they should be blocked. RT#6338: AD Template policy i.OpenEmbedPerm not applying

We will fix this. Thanks for bringing it to our attention.
Best regards

Paul O'Rorke
Tracker Support North America
http://www.tracker-software.com
dalacor
User
Posts: 26
Joined: Thu Sep 01, 2016 9:04 am

Re: Making Pdf's a safe email attachment to open

Post by dalacor »

Hi Paul,

Had not realised that the embed issue was a bug as well. I just assumed that I had not understood something. Pleased to hear that you will be able to fix both bugs. What is the normal ETA on fixing bugs?

My point that I was making about the prefs menu options versus registry options is as follows:

  • When document is trying to open file - OpenFilePerm
  • When document is trying to open an attachment - Not sure what reg setting this is? Is this OpenEmbedPerm
  • When document is trying to open a site - OpenSitePerm
As you can see open site and open file is obvious which registry value is relevant. But not clear if open attachment is registry value OpenEmbedPerm.

Thank you for clarifying about the Javascript Console. I am not concerned about a potential hacker creating malicious code as if they were sitting at the keyboard of our computers. As you say, if they are already on the computer itself, then we have bigger problems. I just wasn't sure if the Console part was something that could be used their end to create and send a pdf that contained malicious javascript which we would receive either via email or downloading from a website. If the console is just for an editing session by the local user and disabling Javascript itself blocks execution of any Javascript, then obviously this won't be a problem, from receiving/downloading malware point of view.
User avatar
Paul - Tracker Supp
Site Admin
Posts: 6813
Joined: Wed Mar 25, 2009 10:37 pm
Location: Chemainus, Canada
Contact:

Re: Making Pdf's a safe email attachment to open

Post by Paul - Tracker Supp »

Hi again dalcor,

You are referring to making changes "the registry", which I assume is how you are applying the policies. I am interested in knowing if you deliver them via our Templates and Group Policies for Administrative Templates, or are you pushing the registry changes another way? The mechanism for delivering the policies/reg keys is not really important, I am just interested whether you use this a different way.

OpenEmbedPerm.

Is definitely for "Attachments" - you may consider an "Embedded file" as an attachment, yes.
Best regards

Paul O'Rorke
Tracker Support North America
http://www.tracker-software.com
dalacor
User
Posts: 26
Joined: Thu Sep 01, 2016 9:04 am

Re: Making Pdf's a safe email attachment to open

Post by dalacor »

I don't use group policies to push user and computer settings. The reason being that I work with multiple clients. So I have logon and startup scripts that I created nearly 20 years ago using a programming language called kixtart, which was designed explicitly for logon and startup scripting use.

As nearly all my user profile changes are registry entries, it is a simple case of just adding one line of code for each setting. So I update my scripts (as and when required), and copy those scripts to all the relevant clients. Group Policies are not nearly as capable as scripts are. So I generally look for the actual registry entry rather than the group policy as such.
User avatar
Paul - Tracker Supp
Site Admin
Posts: 6813
Joined: Wed Mar 25, 2009 10:37 pm
Location: Chemainus, Canada
Contact:

Re: Making Pdf's a safe email attachment to open

Post by Paul - Tracker Supp »

Aaah - got it.

That makes sense, ultimately it matters not how those reg keys get there, just that they do. ;-)

Thanks for the explanation.
Best regards

Paul O'Rorke
Tracker Support North America
http://www.tracker-software.com
Post Reply