search cancel

How to block or delete files by File Name in Symantec Protection Engine (SPE).

book

Article ID: 173029

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

 

You are attempting to detect files by file name when scanned by the Symantec Protection Engine (SPE) product.  After adding a file name to Policies > Filtering > Files in the Protection Engine GUI to be blocked the file was successfully detected.  However, after adding the same filename to a container such as Example.zip the file is no longer detected.

Cause

 

When scanning inside of container files the full file name path is concatenated and treated as the file name.

For example:

  • Parent.zip  #Name of the parent file when scanned.
  • Parent.zip/Parent/Child1.extension  #Name of the first child object when scanned
  • Parent.zip/Parent/Child1.zip/Child1/Child2.extension   #Name of the second child object when scanned.

Symantec Protection Engine will evaluate the top level container as the displayed filename.  However, if a container is a child object the filename is concatenated from the whole path and will not be detected.

 

Resolution

 

Symantec Protection supports wildcard characters and is case insensitive.

  • * zero or more of any character
  • ?  any single character

 

To ensure detection of a specific file name at any container depth an Asterisk should preclude all filenames you wish to detect.  This will allow for detection at the top level as Asterisk characters are treated as 0 or more characters.

Example:  *FileName.js

If you have a filename that has a known length with a changing value such as a numbered object you can leverage the Question mark.

Example: (FileName1234.txt)    *filename????.txt

Finally, if you most of a filename but do not know the extension or potentially the full filename you can leverage Asterisk on each side of the file.  Keep in mind if the known part is common this could be dangerous.

Examples:

-  Likely Safe:   *filename_1234.xl*  #This would find .xls, .xlsx, .xlsm extensioned files named filename_1234

-  Less Safe:  *filename*.xl*  #Will find any iteraction of "filename" with a .xl* extension.

-  Dangerous:  *filename*  #If "filename" is common this will find all iterations.  Can take unwanted action against some files.