search cancel

Detect password protected zip and pdf files with the Endpoint Prevent Agent.

book

Article ID: 159966

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention

Issue/Introduction

How to detect password-protected files, like zip and pdf, at the DLP Endpoint?

Environment

DLP 15.X

Cause

Encrypted file-type detection, by default, is performed by the Endpoint Server.

Resolution

Available Workaround:

Utilize a 'Custom File Type' signature to detect password-protected .zip files on the Endpoint Server and Endpoint Agent.

To enable the Custom File Type Signature rule
1 - Using a text editor, open the file: \Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config\Manager.properties
2 - Set the value of the following parameter to "true":
com.vontu.manager.policy.showcustomscriptrule=true
3 - Stop and then restart the Symantec DLP Manager service.
4 - Log back on to the Enforce Server Administration Console and add a new blank policy.
5 - Add a new detection rule or exception and beneath the File Properties heading you should see the Custom File Type Signature condition.
6 - Configure the condition with your custom script.

Here is the script from the Detection Customization Guide:

$pktag=ascii('PK');
$frecord=getHexStringValue('0304');
$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);
$cryptByte=getBinaryValueAt($data, 0x6, 1);
$encrypted=mod($cryptByte, 2);
assertTrue($encrypted == 1);

Below is an example of using the script.

Additional Information

It is possible that when using the script above, the detection might not work for a compressed folder compare to compressed file. In case facing that issue, try the script without the last three code:

$pktag=ascii('PK');
$frecord=getHexStringValue('0304');
$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);

When using the above script, it is found to detect every zip file encrypted or not. 

Attachments