ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Detect password protected zip and pdf files with the Endpoint Prevent Agent.


Article ID: 159966


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention


How to detect password-protected files, like zip and pdf, at the DLP Endpoint?


Encrypted file-type detection, by default, is performed by the Endpoint Server.


Available Workaround:

Utilize a 'Custom File Type' signature to detect password-protected .zip files on the Endpoint Server and Endpoint Agent.

Reference: Symantec Data Loss Prevention Detection Customization Guide

In that guide, the "Tutorial 2: Detecting an encrypted ZIP file format" contains a script that can detect encrypted zip files on the Endpoint.
However, the instructions in the guide say to test it with the File Type Analyzer.
That Analyzer has a bug that causes the script to fail.
But that script does work in a customer data identifier.
Build a customer identifier using that script.
This link is the start of our guidance for creating a custom identifier; creating-custom-data-identifiers.html.

Here is the script from the Detection Customization Guide:

$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);
$cryptByte=getBinaryValueAt($data, 0x6, 1);
$encrypted=mod($cryptByte, 2);
assertTrue($encrypted == 1);