Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Custom file type detection for DLP

Created: 21 May 2013 • Updated: 09 Jul 2013 | 3 comments
kishorilal1986's picture
This issue has been solved. See solution.

Hi All,

Can anyone give me an idea how can I add custome file types which are not in DLP file type dection rules , as I am aware of that in agent config setting , you can add sny file type for monitoring but other than this, anyone have any better solution.I wanted to monitor .msp file may be microsoft paint bitmap file types.

Discussion Filed Under:

Comments 3 CommentsJump to latest comment

pete_4u2002's picture

you need to use fileanalyzer for custom detection. There is custom detection guide in the documents folder which can used for reference.

KNP's picture

Hi,

I think at present without agent config you can not do monitoring of custom file types, symantec may develope some new features regarding this.

SOLUTION
tim.kerns's picture

K S,

There are a couple of different ways to detect the existence of your .msp files. You could create a policy to look for a file type of *.msp in the attachment. This may or may not create false positives but it's a possibilty. Also, Symantec does provide a utility called the "File Type Analyzer" that can be installed on any workstation.

FTA is just a java based utility that you use to target certain files (.msp) and once targeted, FTA will provide you with an output that contains the binary code of that file type. That binary code can then be added into a policy. In order to use the "Custom File Type Signature" option in the policies, you will need to modify the manager.properties file as follows:

1. Edit the manager.properties file located in \SymantecDLP\Protect\config

2. Add the "true" value to the line com.vontu.manager.policy.showcustomscriptrule=true

3. Restart the Vontu Manager service and upon service restart you will be able to create a policy inclusion that shows as "Custom File Type Signature"

4. Copy the contents from the FTA utility into the custom signature section of the policy rule

Using FTA will allow you to detect the binary makup of the actual file type which means if a user were to save a .msp as a differnent file type, you would still be able to detect that information because the binary would not change.

 

Hope this helps