Hello,
We are using Symantec DLP v12.x and have also configured script to detect non-supported drawing files using Symantec Custom File Type Analyzer Utility. One of the script which detects .ipt, .iam, .ipn drawing files. Below is script example: -
$Int1 = getHexStringValue('D0CF');
$Int2 = getBinaryValueAt($data, 0x0, 2);
assertTrue($Int1 == $Int2);
$Int3 = getHexStringValue('11E0');
$Int4 = getBinaryValueAt($data, 0x2, 2);
assertTrue($Int3 == $Int4);
$Int5 = getHexStringValue('A1B1');
$Int6 = getBinaryValueAt($data, 0x4, 2);
assertTrue($Int5 == $Int6);
With the above scripts, it detects required drawing files successfully but at the same I observed that some of my .xls and .ppt files are also getting detected using this script / rules in DLP. I have checked on internet and found that magic bytes for these file types and thos xls and ppt are same. Now I need help to extend my script in such a way that it can detect required drawing files and MS office files should not be detected.
Appreciate if someone can help me as early as possible.... Thanks.