Detect password protected zip files with the Endpoint Prevent Agent.
search cancel

Detect password protected zip files with the Endpoint Prevent Agent.

book

Article ID: 159966

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention

Issue/Introduction

Detect password-protected zip files on the DLP Agent Endpoint.

Environment

DLP Endpoint Prevent 15.x,16.x

Cause

Encrypted file-type detection, by default, is performed by the Endpoint Server.

Resolution

Utilize a 'Custom File Type' signature to detect password-protected .zip files with File Type Analyzer utility to build your own script on the Endpoint Server and Endpoint Agent.  

To enable the Custom File Type Signature rule

1. Using a text editor, open the file: \Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config\Manager.properties
2. Set the value of the following parameter to "true":
       com.vontu.manager.policy.showcustomscriptrule=true
3. Stop and then restart the Symantec DLP Manager service.
4. Log back on to the Enforce Server Administration Console and add a new blank policy.
5. Add a new detection rule or exception and beneath the File Properties heading you should see the Custom File Type Signature condition.
6. Configure the condition with your custom script.

 

Example of script taken from Detecting an encrypted ZIP file format:

NOTE: This is example taken from DLP guide [Detecting an encrypted ZIP file format] that presents how to use File Type Analyzer utility (analyzer_gui.exe). Each time you need to evaluate about 10-15 of the exact files [for example password-protected ZIP files], load them to a File Type Analyzer Utility for analysis and then build your own script for the detection.

$pktag=ascii('PK');
$frecord=getHexStringValue('0304');
$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);
$cryptByte=getBinaryValueAt($data, 0x6, 1);
$encrypted=mod($cryptByte, 2);
assertTrue($encrypted == 1);

Below is an example of using the script.

Additional Information

It is possible that when using the script above, the detection might not work for a compressed folder compared to a compressed file. In case facing that issue, try the script without the last three lines of code:

$pktag=ascii('PK');
$frecord=getHexStringValue('0304');
$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);

When using the above script, it is found to detect every zip file encrypted or not. 

Powered by Wolken Software