Scribd
Upload
129 views7 pages

Article - Data Loss Prevention (DLP) - Create Custom File Type Signature

Uploaded by

atiffita
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
129 views7 pages

Article - Data Loss Prevention (DLP) - Create Custom File Type Signature

Uploaded by

atiffita
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Data Loss Prevention - Symantec Enterprise https://community.broadcom.com/symantecenterprise/communities/co...

PRODUCTS APPLICATIONS SUPPORT COMPANY HOW TO BUY  Register

Data Loss Prevention  Settings

Community Home Threads Library Events Members

 BACK TO LIBRARY

Data Loss Prevention (DLP) - Create custom file type Follow  3 Recommend

signature 

01-30-2019 06:53 PM Actions

Hi, Statistics
0 Favorited
 
30 Views
Nathan This article is a How-To on how to enable, create and implement custom file type signatures in DLP. 0 Files
Wilson 0 Shares
0 Downloads
In this example I'm going to use a scenario I've recently been working on which proved to be an
interesting challenge, triggering DLP actions against standard 7Zip files; but also triggering seperate
actions against encrypted password protected 7Zip files.

Firstly we will look at creating the custom file signature script which will be used to instruct DLP to
detect a specific unique signature, which is referred to as a magic byte unique to every file type.

1. Create a new folder directory on the local machine which will be used for testing.

2. Create multiple notepad documents with varying text. (Blank documents will be misleading and will
likely fail this exercise, must have multiple documents of the same type.)

3. Using 7zip create a few test files both non password protected and password protected for analysis.

4. Install the Symantec tool called File Analyzer from the below link:

https://www.symantec.com/connect/downloads/file-analyzer

5. Install to a directory of your choice and then browse to the install location.

1 of 7 8/15/2021, 22:44
Data Loss Prevention - Symantec Enterprise https://community.broadcom.com/symantecenterprise/communities/co...

6. Run analyzer_gui.exe

7. Once File Analyser is running select the directory location of your test files and enter .* into the File
Name Filter box to show all files.

8. Click Analyze Table Data and select the .7z tab to filter out your example .txt files.

9. We now need to look at each collumn and identify the 'magic byte' mentioned earlier; this can be in
the first byte or the last, but will always match the the file type created. For example a password

2 of 7 8/15/2021, 22:44
Data Loss Prevention - Symantec Enterprise https://community.broadcom.com/symantecenterprise/communities/co...

protect .7z will match another password protected .7z; however will not match a standard .7z file.

10. Once reviewed you should have found the below magic byte for .7z (This will be different for all file
types)

As you can see in byte 20, there's 2 matches. These matches are for a standard .7z file (5A) and a
password protected .7z file (6A) this number is unique to this file type. 

11. Now we have to start looking at a scripted solution to tell DLP to look at this byte and any sanity
checks you'd like to include. At this stage in the guide I'd recommend using the Symantec guide to
create the script but I will also provide a translation of mine in laymans terms. 

https://support.symantec.com/en_US/article.TECH220442.html

My script for standard .7z files:           ## Please Note, this software is not case sensitive, but DLP
is; Int1 + int1 will NOT match. ##                  

$Int1 = getHexStringValue('006A');
$Int2 = getHexStringValue('377ABCAF');
$Int3 = getBinaryValueAt($data, 0x13, 2);
$Int4 = getBinaryValueAt($data, 0x0, 4);
assertFalse ($Int1 == $Int3);
assertTrue($Int2 == $Int4);

Translation: 

Int1 = Tells the script to use '006A' as the magic byte to match somewhere in the file.

Int2 =  Tells the script to use '377ABCAF' as a byte comparison somewhere in the file.

Int3 = This points the script at a hexidecimal location within the file, 0x13 in Hex is 19, so the script will
look at Byte 19 and the following byte ,2 tells the script to look at 19 and the next byte. Which in the
situation of .7z is 006A.

Int4: This points the script at the hexidecimal location of 0x0 which is 0, and tells it to read the first 4
bytes 0-3 as instructed by the ,4.

AssertFalse: This compiles the results of Int1 and Int3, and states if this matches 006A then it matches
the script requirement but catagorises this as a false match.

AssertTrue: This compares Int2 and Int4 and if they match it matches the scripts requirements.

Example of the script working in File Analzer:

3 of 7 8/15/2021, 22:44
Data Loss Prevention - Symantec Enterprise https://community.broadcom.com/symantecenterprise/communities/co...

As you can see, it has matched the non password protected .7z files as they meet the scripts
requirements, and has filtered out to Mismatched the password protected files as they do not meet the
script requirements.

Now you have an understanding of the scripting logic below is the script used to identify password
protected .7z files which is very similair to the above:

$Int1 = getHexStringValue('006A');
$Int2 = getHexStringValue('377ABCAF');
$Int3 = getBinaryValueAt($data, 0x13, 2);
$Int4 = getBinaryValueAt($data, 0x0, 4);
assertTrue ($Int1 == $Int3);
assertTrue($Int2 == $Int4);

12. We now need to enable custom file extensions within DLP, as they are not natively enabled. 

13. Please UNC/PUTTY to your DLP host operating system and browse to \SymantecDLP\Protect
\config\Manager.properties (15.0 and below) or to Symantec/DataLossPrevention/Enforce Server/15.1
/Protect/config/Manager.properties (15.1 and above).

14. Now search for the line com.vontu.manager.policy.showcustomscriptrule = false 

15. Change this value to = True and exit.

16. Restart your DLP Enforce server services.

17. Once your DLP instance is back up and running go into an existing policy or create a new and select
'Add Rule'

4 of 7 8/15/2021, 22:44
Data Loss Prevention - Symantec Enterprise https://community.broadcom.com/symantecenterprise/communities/co...

As you can now see you have a 'Custom File Type Signature' rule option to select

If you do not have this option please review the above steps for enabling or
see https://help.symantec.com/cs/dlp15.0/DLP/v48848719_v120691346/Enabling-the-Custom-File-
Type-Signature-condition-in-the-policy-console?locale=EN_US )

18.  Insert the relevant information and the script designed earlier:

5 of 7 8/15/2021, 22:44
Data Loss Prevention - Symantec Enterprise https://community.broadcom.com/symantecenterprise/communities/co...

Conclusion: You now have a custom file extension rule operational in DLP, this method can be applied
to any file type not just .7z so please use this guide as a reference to what you're trying to achieve.

The process can be a little tedious and frustrating at times but the overall results once you've
completed are extremely valuable.

This guide has been previously submitted by my colleague, I've created my own guide on this purely to
add my twist on custom file extensions ana a refresher with newer versioning being available.

Previous article:

https://www.symantec.com/connect/articles/data-loss-prevention-dlp-create-custom-file-type-
signature

I hope you've found this article helpful and informative.

Tags and Keywords

6 of 7 8/15/2021, 22:44
Data Loss Prevention - Symantec Enterprise https://community.broadcom.com/symantecenterprise/communities/co...

Comments ADD

Nathan Wilson 04-01-2019 04:35 AM

Hi David,

It's proven to be very successful, in the above guide it looks for text files for demonstration purposes,

But the magic byte is different for every software and version of that software, however ther magic byte in 7z is always Byte 20/21

Hope this helps,

David Burzala 03-27-2019 12:16 PM

How sucessful is this? as we;re seeing inconsistent results. Is this only for detecting .txt files within 7z files?

GHEBOUB Kamel 02-17-2019 03:51 AM

Hi  Nathan,

Thanks for the tutorial, but in my test i can't any magic byte you can see that in the attached screenshot, please can you help me to figure out
a solution. thanks in advance. 

Best Regards. 

Related Entries and Links ADD

No Related Resource entered.

PRODUCTS APPLICATIONS SUPPORT COMPANY HOW TO BUY

Copyright © 2005-2021 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Hosted by Higher Logic, LLC on the behalf of Broadcom - Privacy Policy | Cookie Policy | Supply Chain Transparency
   

Terms of Use Sitemap

7 of 7 8/15/2021, 22:44

You might also like