Data may pass through undetected when scanning fails due to unknown or unsupported filetypes
search cancel

Data may pass through undetected when scanning fails due to unknown or unsupported filetypes

book

Article ID: 164696

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web Data Loss Prevention Network Protect

Issue/Introduction

While Data Loss Prevention (DLP) has many supported filetypes, certain filetypes are unsupported or have not been tested.

When an unsupported / unhandled filetype is scanned, it may pass through DLP without incident when scanning fails.

Cause

  • File type identification is decribed as follows in our documentation ( DLP Administration Guide )
    • The Detecting email for data classification servers chapter lists the file types you can identify using the Message Attachment or File Type Match policy condition. See “About file type matching.” If the file format you want to identify is not supported, you can use the Symantec Data Loss Prevention Scripting Language to identify custom file types.
    • Symantec Data Loss Prevention cracks more than 100 file formats for performing content extraction. You use content-based detection conditions to crack a file and extract its contents. See “Content matching conditions.” The Supported formats for content extraction section lists the various file format categories whose content Symantec Data Loss Prevention can extract. Refer to the associated link for the individual file formats supported for that category.
  • Note : Differing versions may have different supported filetypes. To verify, search the admin guide for "File type identification" to find the relevant information.
    • DLP 14.6 Admin Guide contains info on File Type Identification on PDF p. 690.
    • DLP 14.0 Admin Guide contains info on File Type Identification onf PDF p. 611
    • DLP 12.5 Admin Guide contains info on File Type Identification onf PDF p. 610

Resolution

It is possible to block all unknown / unscannable content.

  • First, create a rule to block any attachment larger than 512 bytes or something similar. This should catch 99% of all attachments. Next create an exception for file type, and select all known filetypes. This will block all unknown filetypes.
  • Please make sure to try this in a test environment first. This will use additional resources, and may cause a performance drag. Each environment will react differently depending upon policies in place and resources available.
Powered by Wolken Software