Legacy Dynamic PDF Attachments blocked by Enterprise email

Avatar

Avatar

tarekahf

Avatar

tarekahf

tarekahf

26-06-2017

Certain types of forms which are based on the legacy Adobe LiveCycle PDF Forms (xfa), when added as attachment, are being blocked by all Enterprise Email (of different companies). Personal email accounts (gmail for example) are not blocking such attachments.

Just checking if someone has come across such issue.

Tarek

Accepted Solutions (0)

Answers (7)

Answers (7)

Avatar

Avatar

tarekahf

Avatar

tarekahf

tarekahf

28-06-2017

Looks like this is an issue with the virus engine. I found similar reports here:

Office 365 is flagging legitimate PDF attachments as JS/Injector.A - Microsoft Community

Tarek

Avatar

Avatar

tarekahf

Avatar

tarekahf

tarekahf

27-06-2017

I realized finally that the problem is not in a certain part of the form. I did a lot of testing, and now I have the conclusion that if I delete large and random parts from the form either script or objects (subforms), then the PDF form will be go through via the email attachment.

From what I see, if the size and/or pattern of the form meet certain criteria then the malware engine will block the form.

Tarek

Avatar

Avatar

tarekahf

Avatar

tarekahf

tarekahf

27-06-2017

I was able to pinpoint the parts of the form causing the malware detection engine to block the PDF. See highlighted parts in the snapshot below.

Script Object: FormLocale

Table: posBody

Only when I delete the both the script object "FormLocale" and table object "posBody" then the PDF attachment will go through.

Appreciate if someone can help me find out why, and how I can solve this problem?

1239206_pastedImage_0.png

Avatar

Avatar

tarekahf

Avatar

tarekahf

tarekahf

27-06-2017

I was able to pinpoint the source of the problem... still need to narrow down even further. I deleted a recently added subform, and the malware detection didn't block the Dynamic PDF. This subform uses formcalc script with predicates as such:

form1.subform[26].posBody.Row1.Cell1.list_repairs.total_row.total.total_repair_estimate_hi::calculate - (FormCalc, client)

Sum(list_repair_item[*].sf_estimate.resolveNode("#field.[At(name, ""repair_estimate_hi"") > 0]"))

This was the first time I use such form. I will try to remove the above and check again.

Tarek

Avatar

Avatar

altrue990

Avatar

altrue990

altrue990

27-06-2017

Check the Acrobat Version Compatibility. Are they all set to the same version?

Avatar

Avatar

tarekahf

Avatar

tarekahf

tarekahf

27-06-2017

We have about half a dozen of Dynamic PDF Forms. The problem happens with exactly one and only one PDF Form Template, and it is a Dynamic Form. All forms have large amount of javascript, and it only happens with only one of them.

Following is the error we get from Office 365 malware detection engine:

Delete message. Malware: JS/Jasobfus.A!ml;JS/Jasobfus.A!ml;JS/Jasobfus.A!ml;JS/Jasobfus.A!ml;JS/Jasobfus.A!ml File: FullForm_uspap-latest-off-v1.pdf

1239052_pastedImage_3.png

If I send the PDF as attachment from/to GMAIL account, there is no problem.

I performed test with several PDF Forms generated from the same template over the past year (I got them from the backup). In some cases, the attachment did go through after I open the PDF form in designer, and clear the "Save Options" and save as Dynamic PDF:

1239056_pastedImage_4.png

But after I repeated the test with the master template and several other files, I realized that clearing or setting the above options has no effect. Also, there is no difference if the template is blank or it has data imported.

As of now, I have two different versions of the Dynamic PDF Form that belong to the same master template and one of them was blocked by the malware engine, and the other was not blocked.

What I will do now is that I will compare the XML View of the both versions and try to figure out what is the difference that is causing the form to be identified as infected with malware.

If you have any feedback, please let me know.

Tarek

Avatar

Avatar

altrue990

Avatar

altrue990

altrue990

26-06-2017

Does this occur for Dynamic forms, Static forms or both?