Data Loss Prevention Master Specialization Community

Hello,

on a Symantec DLP 11.5.1, I have implemented nine policies Custom File Type Signature rule based.

But, when enabling more than 3 policies, DLP Agent (EDPA) crashes.

No issues with other Detection Servers (Discovery, Network Prevent), nor with other policies.

Anyone had the same problem?

Thanks,

Giovanni

You can collect the agent log from DLP Enforce Console. Then, paste the log here.

Enabling these policies may be overloading the agent, resulting in a process crash. I would suggest:

a) Check the policy rules, for anything that may be impacting the endpoint. Try tweaking rules thus making them lighter for the Endpoint.

b) Check the process memory or CPU utilization stats when the policies are enabled

c) Check the associated process logs.

Please find in attachment the edpa decrypted log. I replicated the issue in a Lab environment, it seems to depend on the policies, not the Endpoint computer.

Thanks, Giovanni

Attachment(s)

edpa.zip   118 KB 1 version

Also keep in mind that when it comes to the custom File type detection that you need to really know how to write these properly. A malfomred policy will overrun the process especially if the regex and other search criterias are written incorrectly.

What is the file type that you are looking for and you may need to paste the search in here for support. You will not get it from Symantec.

If you need help, contact me directly. I am former Vontu/Symantec and wrote many of the ones you see in the examples, and the ones provided for other files. I also write these for customers as custom configs.

Ronak

rpatel@dlp-solutions.com

Hi Ronak,

apparently, all policies work well with other Detection Servers.

I have implemented the following policies:

3DM File

$header=ascii('3D Geometry File');
$word=getBinaryValueAt($data, 0x00, 16);
assertTrue($header == $word);

ASM.K File

$header=ascii('#UGC:2 ASSEMBLY');
$word=getBinaryValueAt($data, 0x00, 15);
assertTrue($header == $word);

CAD File

$header=ascii('Tebis Database V');
$word=getBinaryValueAt($data, 0x00, 16);
assertTrue($header == $word);

DRW.K File

$header=ascii('#UGC:2 DRAWING');
$word=getBinaryValueAt($data, 0x00, 14);
assertTrue($header == $word);

IGS File

$value1=ascii('S 1');
$value2=ascii('S0000001');
$value=getBinaryValueAt($data, 72, 8);
if ($value == $value1) {
  assertTrue ($value == $value1);
} else assertTrue ($value == $value2);

MCX File

$value1=getHexStringValue('88000000');
$value2=getHexStringValue('00050100');
$value3=getBinaryValueAt($data, 0, 4);
$value4=getBinaryValueAt($data, 79, 4);
assertTrue ($value3 == $value1);
assertTrue ($value4 == $value2);

PFM File

$value1=getHexStringValue('02000000');
$value2=getHexStringValue('3412000002');
$value3=getBinaryValueAt($data, 0, 4);
$value4=getBinaryValueAt($data, 60, 5);
assertTrue ($value3 == $value1);
assertTrue ($value4 == $value2);

PRT.K File

$value1=ascii('#UGC:2 PART');
$value=getBinaryValueAt($data, 0, 11);
assertTrue ($value == $value1);

STP File

$header=ascii('ISO-10303-21;');
$word=getBinaryValueAt($data, 0x00, 13);
assertTrue($header == $word);

The same issue even using a single policy with all the above rules together.

Any idea?

Best regards,

Giovanni

You have a few issues, and I would test these out 1 by one on the endpoints, not in 1 policy. One of these if not most are causing the issue.

First of all use different Variable Names that are specific to each file...not just $header, $word, $value.. sloppy programming.

Use $stpHeader $stpWord for specific file types.

Look at all of the getBinaryValueAt statements.. how can the position just be "0" it needs an 'x' specfication.

Try not to use any matches that contain special characters.. #, semi colons, and colons. It will make it tougher.

Your IGS detection is formatted wrong.

How can you validate Value=Value1, they are different lengths?

For Value1 , you may need to use the getHexStringValue

When using if/else, brackets need to be on their on line!

$value1=ascii('S 1');
$value2=ascii('S0000001');
$value=getBinaryValueAt($data, 72, 8);
if ($value == $value1)

{
assertTrue ($value == $value1);
}

else

{

assertTrue ($value == $value2);

}

Good Luck..

Ronak

Attachment(s)

SampleScriptsforField.pdf   9 KB 1 version

Thanks Ronak,

You are right,actually I made a copy/paste error, the correct IGS Rule is:

$value1=ascii('S      1');
$value2=ascii('S0000001');
$value=getBinaryValueAt($data, 72, 8);

if ($value == $value1)
{
assertTrue  ($value == $value1);
}
else
assertTrue  ($value == $value2);

For accuracy, I did other tests:

the issue occours only on Windows 7 32 bit, Windows 7 64 bit works well...

Thanks again for you suggestions,
Giovanni

Giovanni,

Let me know what you find out.

Ronak

Hi Ronak,

I opened a case to Symantec Support.
I finally found that my policies are working properly on the 64 bit agent, while causing the crash of the 32 bit agent.

Thanks again,

Giovanni

I found the solution.
I have updated the agent to version 11.6, now there are no longer crashes.
I've been waiting to do the upgrade as there was nothing reported in the release notes.

Thanks, Giovanni