File Signature support at Filter by File Properties at Agent Configuration
search cancel

File Signature support at Filter by File Properties at Agent Configuration

book

Article ID: 160798

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

DLP can set filter behavior of agent at configuration "Filter by File Properties" at System -> Agents -> "Agent Configuration" page.
The "type" of the "File Attribute" designates which type of file is 'Monitor' or 'Ignore'. At there, some file types are judged by the file signature, not by the file name extension part itself.

Resolution

Following file types are judged by the file signature.

Documents Type = .doc;.dot;.pps;.ppt;.xla;.xls;.wiz;.db;.msc;.msi;.mtw;.spo;.vsd;.wps
Archive Type = .zip;.jar;.sxc;.sxd;.sxi;.sxw;.xpi
Win RAR Archive = .rar

That is, when you set 'Monitor' (or 'Ignore') at "Filter by File Properties"

 type = *.doc

Any file of types in above 'Documents Type' is treated as 'Monitor' (or 'Ignore'). For example, test.xls is monitored.
This judge is based on the file signature, therefore, it can work ('Monitor') even if the file name extension is removed or changed, that is, changed test.xls to test or test.foo can be monitored by above configuration.

In addition, it has been found that some file type has some other extention but has same file type signature in above. For example, Android application package file (APK) has above Archive Type file signature (APK is acually same as JAR) so it is judged to match a condition when the file type (for example, .zip) is set.
(Note: type = *.apk doesn't set Archive Type condition, this only sets the file name extention condition.)

This 'file signature' based filter is preceded by checking the match to the real file name, whether the order is. That is, for example,

----------------------------------------------------------
Enable Monitoring Destination 'Removable Storage', and the 'Filter by File Properties' type is set as below

1. type = *.mp3    Ignore
2. type = *.doc     Monitor

A user changed a local file extention, test.xls to test.mp3.

The user copies test.mp3 to his removable storage.
----------------------------------------------------------

The file test.mp3 is monitored at above case although the filter order *.mp3 Ignore is set prior to *.doc Monitor.

As for any Other types of file, for example, .txt, .rtf, the judge is performed on whether matching the file name extension part to the configuration 'type' input name.


Powered by Wolken Software