ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Detect password protected zip and pdf files with the Endpoint Prevent Agent.

book

Article ID: 159966

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention

Issue/Introduction

How to detect password-protected files, like zip and pdf, at the DLP Endpoint?

Cause

Encrypted file-type detection, by default, is performed by the Endpoint Server.

Resolution

Available Workaround:

Utilize a 'Custom File Type' signature to detect password-protected .zip files on the Endpoint Server and Endpoint Agent.

Reference: Symantec Data Loss Prevention Detection Customization Guide

In that guide, the "Tutorial 2: Detecting an encrypted ZIP file format" contains a script that can detect encrypted zip files on the Endpoint.
However, the instructions in the guide say to test it with the File Type Analyzer.
That Analyzer has a bug that causes the script to fail.
But that script does work in a customer data identifier.
Build a customer identifier using that script.
This link is the start of our guidance for creating a custom identifier; creating-custom-data-identifiers.html.

Here is the script from the Detection Customization Guide:

$pktag=ascii('PK');
$frecord=getHexStringValue('0304');
$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);
$cryptByte=getBinaryValueAt($data, 0x6, 1);
$encrypted=mod($cryptByte, 2);
assertTrue($encrypted == 1);