cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 2

Web Gateway 8.2 blocking PDF as corrupted

Jump to solution

Hi all,

we are experiencing problems with PDFs downloaded from the internet. Files are frequently blocked by Web Gateway as corrupted due to the Rule "Block Corrupted MediaTypes" which uses the check "Body.IsCorruptedObject". This does not happen all the time, some documents are downloadable without a problem.

We can reproduce the problem with all documents downloadable from this website: https://zeitpunkt.nrw/ulbbn/periodical/titleinfo/6373522 (e.g. https://zeitpunkt.nrw/download/pdf/6267868?name=2%20211852)

Whereas https://www.mcafee.com/enterprise/de-de/assets/data-sheets/ds-web-gateway.pdf works flawlessly.

Any suggestions?

 

1 Solution

Accepted Solutions
pcoates2
Level 8
Report Inappropriate Content
Message 2 of 2

Re: Web Gateway 8.2 blocking PDF as corrupted

Jump to solution

Hi Bjoern,

Due to the multitude of PDF generators (often inline web based) there is often data that doesn't match up to the standards set in the pdf handler.

One thing I have noticed recently is that there is embedded content that can be detected as application/octet-stream, however it is only detected using mediatype.notensured. To test for this you can make a continue rule that checks against mediatype.notensured and create a rule trace to verify.

If it is application/octet-stream and detected by notensured detection you can create an exception in your rule logic to bypass it.

Other types of corruption in pdf often end up being unusual spacing of data, seemingly erroneous data/characters, etc. If you open one of the pdf's in a hex viewer you may see something unusual. Many of my clients have started to bypass the corrupted archive check for pdf's because they encounter so many of these poorly generated pdf documents. You could create rule logic to only bypass the corrupt check if it was from a GTI minimal risk rated site and/or utilize the GTI file reputation checking to validate the hash as filereputationgood. NOTE: The MWG needs to be configured to utilize GTI File reputations to utilize the file reputation property.

Here's a sample set of logic that was for bypassing encrypted from trusted, but you could utilize it to make exceptions or bypass for corrupted pdf as well, just replace the appropriate properties and adjust logic if you're setting a variable, doing an exception, or creating a stop rule set above:

PDF_Corrupt_Bypass_Trusted.png

 

Cheers,

 

Pete

View solution in original post

1 Reply
pcoates2
Level 8
Report Inappropriate Content
Message 2 of 2

Re: Web Gateway 8.2 blocking PDF as corrupted

Jump to solution

Hi Bjoern,

Due to the multitude of PDF generators (often inline web based) there is often data that doesn't match up to the standards set in the pdf handler.

One thing I have noticed recently is that there is embedded content that can be detected as application/octet-stream, however it is only detected using mediatype.notensured. To test for this you can make a continue rule that checks against mediatype.notensured and create a rule trace to verify.

If it is application/octet-stream and detected by notensured detection you can create an exception in your rule logic to bypass it.

Other types of corruption in pdf often end up being unusual spacing of data, seemingly erroneous data/characters, etc. If you open one of the pdf's in a hex viewer you may see something unusual. Many of my clients have started to bypass the corrupted archive check for pdf's because they encounter so many of these poorly generated pdf documents. You could create rule logic to only bypass the corrupt check if it was from a GTI minimal risk rated site and/or utilize the GTI file reputation checking to validate the hash as filereputationgood. NOTE: The MWG needs to be configured to utilize GTI File reputations to utilize the file reputation property.

Here's a sample set of logic that was for bypassing encrypted from trusted, but you could utilize it to make exceptions or bypass for corrupted pdf as well, just replace the appropriate properties and adjust logic if you're setting a variable, doing an exception, or creating a stop rule set above:

PDF_Corrupt_Bypass_Trusted.png

 

Cheers,

 

Pete

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community