Data Loss Prevention

 View Only

  • 1.  Endpoint detect ZIP password protected files

    Posted Sep 30, 2015 05:49 AM

    Hello,

     

    I need to create a policy on endpoint and on USB to detect ZIP password protected.

    I found a custom file type definition on Symantec documentation for ZIP password protected (i.e. : PK + '0304' and a odd number in 6th byte)

    But what about 7zip password protected ? it seems that it is a certain header : 06 f1 07 01 but it's located at the end of the file and not specific

    How could we test this with a custom file type identification ?

    And for RAR paswword protected ? I see that there is a CRC + 0x74 + HEAD_FLAGS which need to contains 04

    Regards



  • 2.  RE: Endpoint detect ZIP password protected files

    Posted Sep 30, 2015 06:31 AM

    Hi Thomas,

     

    Did you try this File Signature as detection rule:

    $pktag=ascii('PK');
    $frecord=getHexStringValue('0304');
    $pkbytes=getBinaryValueAt($data, 0x0, 2);
    assertTrue($pktag == $pkbytes);
    $recordbytes=getBinaryValueAt($data, 0x2, 2);
    assertTrue($frecord == $recordbytes);
    $cryptByte=getBinaryValueAt($data, 0x6, 1);
    $encrypted=mod($cryptByte, 2);
    assertTrue($encrypted == 1);

     

    It works for me in order to detect compressed files with password.

     

    Cheers,



  • 3.  RE: Endpoint detect ZIP password protected files

    Posted Sep 30, 2015 08:05 AM

    Hello Morgado,

    I already use this but what about RAR and 7z ?

     



  • 4.  RE: Endpoint detect ZIP password protected files

    Posted Sep 30, 2015 10:02 AM

    You are right, seems that is not detecting the 7z docs, just .zip. Didn't test .rar



  • 5.  RE: Endpoint detect ZIP password protected files
    Best Answer

    Posted Oct 01, 2015 11:53 AM

    Thomas, for rar check the below link:

     

    https://www-secure.symantec.com/connect/downloads/custom-file-type-signature-password-protected-rar