Circlean icon indicating copy to clipboard operation
Circlean copied to clipboard

Published 20 hours ago verified publisher icon CIRCL

Deleted files from the untrusted key are also converted !!

Open Manoubi88 opened this issue 5 years ago • 9 comments

Even deleted files from the untrusted key are converted and copied into the clean key. Is this normal?

Manoubi88 avatar May 06 '19 08:05 Manoubi88

Well, I assume they're not deleted, but in the trash, right? If that's right, yes, it is expected, the script search all possible files on the untrusted key.

Rafiot avatar May 06 '19 09:05 Rafiot

it's an unexpected behavior, thanks for your answer.

Manoubi88 avatar May 06 '19 13:05 Manoubi88

You're welcome.

In practice, Circlean cannot make the difference between a "normal" directory and the "trash" directory, as they are the same thing on the file system, and they differ depending on the operating system you're using.

Rafiot avatar May 06 '19 15:05 Rafiot

Thanks again, I still have some questions:

  • Is it possible to prevent CIRCLean from searching files from the Trash (by changing things in the config file for example)?
  • If CIRCLean analyzes 10 files from the Untrusted key, it generates about 10 times more file in the Trusted key, can we reduce the number of resulting file?
  • PDF files without risk are also converted into .pdf_DANGEROUS files, can we change that?

Manoubi88 avatar May 13 '19 12:05 Manoubi88

Thank you for your interest in the project.

  • It is currently not possible to ignore specific directories, the main reason is that CIRCLean has no config file and is static after the SD card is flashed. The goal of the project is to be generic and we expect users with specific usecases to modify the code and flash their own images.

  • Not really, the resulting files are meta-information extracted from the source files. Again, if you have specific usecases, please describe them here, but it is strongly recommended to adapt PyCIRCLean specifically for them.

  • The way PDFs are analyzed is by checking if there is active content, such as OpenActions, which can be used to execute malicious content. It turns out to be used a lot in legitimate files, but I'm not aware of reasonable ways to figure tout what an open action does (it wasn't doable automatically last time I checked). But if you know about an other approach, please let me know.

The library used by CIRCLean is here: https://github.com/CIRCL/PyCIRCLean

Rafiot avatar May 14 '19 08:05 Rafiot

Thank you for your answer.

Manoubi88 avatar May 20 '19 14:05 Manoubi88

Hello again! To be sure, is there a possibility with CIRCLean(with previous versions..) to DELETE only Suspect content such as OpenActions.. from PDF files or Macros from Office files for example. So the result will be an Office Document without Macros instead of having it as DANGEROUS_FileName. docx_DANGEROUS?

Manoubi88 avatar May 24 '19 16:05 Manoubi88

No, there is no reliable way I know of to do that (with office documents nor with pdfs). If you hear of one, please let me know.

Rafiot avatar May 25 '19 19:05 Rafiot

Ok, thank you.

Manoubi88 avatar May 31 '19 10:05 Manoubi88