You want to detect password-protected/encrypted .zip or .rar files.

DLP 15.x

You will need to use the Custom File Type Detection tool to identify the custom file type of the encrypted .zip or .rar file. Please see Symantec_DLP_15.8_Detection_Customization_Guide.pdf which gives you details on how to use the File Type Analyzer utility.

Our Detection Customization Guide is considered only as a set of recommendations and explanations about the syntax of the Custom File Signature detection scripting language. It also contains guidance on how you can use the File Type Analyzer utility to note down the patterns across file headers for a training set of files of the same file type and then write a detection script based on the noted similarities.

You will need to prepare a set(about 10-15) of password-protected archives, load them to a File Type Analyzer Utility for analysis and then build your own script for the detection.

You may find the section "Tutorial 2: Detecting an encrypted ZIP file format" on page 20 particularly useful. If you need further assistance with this please contact Professional Services team.

References:

Detect password protected zip files with the Endpoint Prevent Agent.

Detect password protected PDF files on the DLP Endpoint