search cancel

Detect password protected zip files with the Endpoint Prevent Agent.


Article ID: 159966


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention


Detect password-protected zip files on the DLP Endpoint.


DLP 15.X


Encrypted file-type detection, by default, is performed by the Endpoint Server.


Available Workaround:

Utilize a 'Custom File Type' signature to detect password-protected .zip files on the Endpoint Server and Endpoint Agent.

To enable the Custom File Type Signature rule
1 - Using a text editor, open the file: \Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config\
2 - Set the value of the following parameter to "true":
3 - Stop and then restart the Symantec DLP Manager service.
4 - Log back on to the Enforce Server Administration Console and add a new blank policy.
5 - Add a new detection rule or exception and beneath the File Properties heading you should see the Custom File Type Signature condition.
6 - Configure the condition with your custom script.

Here is the script from the Detection Customization Guide:

$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);
$cryptByte=getBinaryValueAt($data, 0x6, 1);
$encrypted=mod($cryptByte, 2);
assertTrue($encrypted == 1);

Below is an example of using the script.

Additional Information

It is possible that when using the script above, the detection might not work for a compressed folder compare to compressed file. In case facing that issue, try the script without the last three code:

$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);

When using the above script, it is found to detect every zip file encrypted or not.