Data Loss Prevention

Hello,

We are using Symantec DLP v12.x and have also configured script to detect non-supported drawing files using Symantec Custom File Type Analyzer Utility. One of the script which detects .ipt, .iam, .ipn drawing files. Below is script example: -

$Int1 = getHexStringValue('D0CF');
$Int2 = getBinaryValueAt($data, 0x0, 2);
assertTrue($Int1 == $Int2);
$Int3 = getHexStringValue('11E0');
$Int4 = getBinaryValueAt($data, 0x2, 2);
assertTrue($Int3 == $Int4);
$Int5 = getHexStringValue('A1B1');
$Int6 = getBinaryValueAt($data, 0x4, 2);
assertTrue($Int5 == $Int6);

With the above scripts, it detects required drawing files successfully but at the same I observed that some of my .xls and .ppt files are also getting detected using this script / rules in DLP. I have checked on internet and found that magic bytes for these file types and thos xls and ppt are same. Now I need help to extend my script in such a way that it can detect required drawing files and MS office files should not be detected.

Appreciate if someone can help me as early as possible.... Thanks.

I think you need to check more digit. According to your script, you just check the first 6 binary value. I think you will find out the pattern based on more binary value.

Thanks Yang for your reply but I tried defining more binaries in the script... up to 25 binaries... also I tried selecting binary randomly in between... Is there any tool (like File Type Analyzer) by which we can check the binary of these MS Word or Powerpoint filles.... ?