Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deleted files from the untrusted key are also converted !! #69

Open
Manoubi88 opened this issue May 6, 2019 · 9 comments
Open

Deleted files from the untrusted key are also converted !! #69

Manoubi88 opened this issue May 6, 2019 · 9 comments

Comments

@Manoubi88
Copy link

Even deleted files from the untrusted key are converted and copied into the clean key.
Is this normal?
@Rafiot
Copy link
Member

Rafiot commented May 6, 2019

Well, I assume they're not deleted, but in the trash, right? If that's right, yes, it is expected, the script search all possible files on the untrusted key.

@Manoubi88
Copy link
Author

it's an unexpected behavior, thanks for your answer.

@Rafiot
Copy link
Member

Rafiot commented May 6, 2019

You're welcome.

In practice, Circlean cannot make the difference between a "normal" directory and the "trash" directory, as they are the same thing on the file system, and they differ depending on the operating system you're using.

@Manoubi88
Copy link
Author

Manoubi88 commented May 13, 2019
edited
Loading

Thanks again, I still have some questions:

  • Is it possible to prevent CIRCLean from searching files from the Trash (by changing things in the config file for example)?
  • If CIRCLean analyzes 10 files from the Untrusted key, it generates about 10 times more file in the Trusted key, can we reduce the number of resulting file?
  • PDF files without risk are also converted into .pdf_DANGEROUS files, can we change that?

@Rafiot
Copy link
Member

Rafiot commented May 14, 2019
edited
Loading

Thank you for your interest in the project.

  • It is currently not possible to ignore specific directories, the main reason is that CIRCLean has no config file and is static after the SD card is flashed. The goal of the project is to be generic and we expect users with specific usecases to modify the code and flash their own images.

  • Not really, the resulting files are meta-information extracted from the source files. Again, if you have specific usecases, please describe them here, but it is strongly recommended to adapt PyCIRCLean specifically for them.

  • The way PDFs are analyzed is by checking if there is active content, such as OpenActions, which can be used to execute malicious content. It turns out to be used a lot in legitimate files, but I'm not aware of reasonable ways to figure tout what an open action does (it wasn't doable automatically last time I checked). But if you know about an other approach, please let me know.

The library used by CIRCLean is here: https://github.com/CIRCL/PyCIRCLean

@Manoubi88
Copy link
Author

Thank you for your answer.

@Manoubi88
Copy link
Author

Hello again!
To be sure, is there a possibility with CIRCLean(with previous versions..) to DELETE only Suspect content such as OpenActions.. from PDF files or Macros from Office files for example. So the result will be an Office Document without Macros instead of having it as DANGEROUS_FileName. docx_DANGEROUS?

@Rafiot
Copy link
Member

Rafiot commented May 25, 2019

No, there is no reliable way I know of to do that (with office documents nor with pdfs). If you hear of one, please let me know.

@Manoubi88
Copy link
Author

Ok, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rafiot @Manoubi88