This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PDF exploit evasion(33939)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PDF exploit evasion(33939)

tomohiro.sanematsu
L0 Member

‎03-16-2012 11:37 PM

Dear all,

Our device warned us of pdf exploit evasion. (id:33939)

But, no information on that.

Please give me information.

Best regards

tomohiro

1 person had this problem.
0 Likes Likes
3 REPLIES 3

mikand
L6 Presenter

‎03-17-2012 04:21 AM

When you login to https://support.paloaltonetworks.com/ click on "Threat Database" in "Find Answers" (to the left or the right).

In the search box type "33939" (without the quotes), make sure "vulnerability" (for this case) is selected in "type" and finally click on the Find-button.

However... doing the above will only bring you the obvious:

"
Detail

Attack Name     PDF Exploit Evasion Found
Description     This alert indicates that PDF exploit evasion has been found on your network.
Threat ID     33939
Severity    
informational
Category     info-leak
"

So ehm... anyone else with ideas? 🙂

0 Likes Likes

tettema
L3 Networker

‎03-19-2012 10:22 AM

Hi Tomohiro,

This signature is looking for use of double- and triple-encoded data within PDFs.  This is a commen evasion technique that malicious PDFs use to hide their malicious payload.  However, legimate PDFs can sometimes use double- (and perhaps triple-) encoded data as well, and so this signature is rated as "informational".  In fact, some PDF reports generated by the Palo Alto Networks firewalls can trigger this informational signature.

This signature, just like any other informational signature, is not the highest priority and should not necessarily trigger immediate alarm, however keeping an eye on instances of this alert for PDFs from untrusted sources is a good idea.

0 Likes Likes

tomohiro.sanematsu
L0 Member
In response to tettema

‎03-20-2012 08:55 PM

Hi, tettema

Thank you for your explanation. I understood this sigunagure.

Best regards,

Tomohiro

0 Likes Likes
  • 4915 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks