RMS encrypted standard text file is not detected by DLP

book

Article ID: 184581

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Cause

This is expected behviour as the default detection for RMS Encryption is for 

  • Microsoft RMS Encrypted Office Binary File
  • Microsoft RMS Encrypted Open Packaging Conventions File

Environment

DLP 14.x, 15.x, Windows 10

Resolution

You can create a custom file type to detect the RMS text file encryption: 

You can use the code below to create the custom file detection type: 

$pfileTag=ascii('.pfile');

$pfileBytes=getBinaryValueAt($data, 0x0,6);

assertTrue($pfileTag==$pfileBytes);

 

For more information on how to create custom file types, see this overview on Symantec connect:

https://www.symantec.com/connect/articles/data-loss-prevention-dlp-create-custom-file-type-signature

And the official documentation on custom file type detection.