Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to create script for Custom file type detection for Symatnec Data Loss Prevention (DLP)

Created: 19 Nov 2012 | 9 comments
atif.shafique's picture

I have gone through the guide provided in media still its a tough job to create a custom script, have anyone every created a script for any custom file type detection? if yes please share it for reference!

I have to create custom file type for approximately 30 different file types, need a start.

Comments 9 CommentsJump to latest comment

yang_zhang's picture

You need a tool named File Analyzer to create script to detect your custom file type.

You can contact your Sales/SE for this tool.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
stephane.fichet's picture

Hello atif,

First you need to know file signature (aka magic bytes) of your file type (you can find most of them on internet). Then you can use example available in documentation "Symantec_DLP_11.1_Detection_Customization_Guide.pdf" and customize them based on magic byte you are looking for based on position and binary value of what you are looking for.

 regards.

atif.shafique's picture

Hello All, I have gone through entire guide and also generate the ASCII output by file type analyzer. Problem is to create the script to detect common feilds in signature :)

kishorilal1986's picture

Hi Atif, 

Actually u dont need any script for ur above requirement as u just need to add ur reqquirement in DLP policies for detecting predifined file type,filename or u can add the filetype/name which is not there.

In preveious company, we had checked marked on multimedia file type and there are some file type which is absent we added manually. So as per this u go to policies and add such file type detection. 

 Also I am providing you refrence below

Symantec_DLP_10.­5_Custom_File_Ty­pe_Detection_Gui­de.­pdf

https://www-secure.symantec.com/connect/forums/enc...

https://www-secure.symantec.com/connect/forums/dlp...

https://www-secure.symantec.com/connect/forums/det...

AttachmentSize
plugin guide.pdf 927.47 KB
kishorilal1986's picture

Hi Atif,

dont need any scripting to detect custom filtyp.

just go the policy or in agent config to mark filetype u want to detect or add custome filetype.

atif.shafique's picture

Hello Sharma,

I definitely need to write a script as how can i define a file type on DLP enforce without adding its script?

DLP Solutions2's picture

All..

As a former Vontu Employee and one who wrote most the custom file type detection signatures, you will need to spend some time on learning the process. It is not super easy, but it is not rocket science either. It is technical and you have to understand Ascii, Binary and Hex file structures.

It will take you sometime to create each signature.

The first issue I see people have a problem with is the File Name Filter:

  •  Note: Use the following in the "File Name Filter":
  •  [\w\s]+.[\w]+ : this will ONLY be able to read ascii filenames
  • or
  • [^0x00]+.[\w]+ : This will be able to read non-ascii filenames

Next is to start the signature creation process:

  • Add a directory that has as many of the same file types that you are trying to create the File Signature for.
  • You will need to decide how you want to look at the files (Binary, Ascii, or Number)
  • This will allow you to 'see' the similarities of the file, and create the signature.
  • Use the "Column_Match" drop down and click the "Analyze Table Data" at the bottom of the screen
  • This will show you which 'Bytes" of the files are the same. You can then create the signature based off of these items.

Then it's all about creating a signature that matches your criteria, by using get statements, if/else statements and assert true or false

  • ALWAYS KEEP IN MIND WHETHER YOU ARE USING HEX, BINARY with statements.
  • Starting at Byte "15" and then the next "4" bytes has to be = to  "52617221" (Keep in mind that in Binary each byte is 2 numbers)
  • Here is on for Password protected ZIP files:
  • $pktag=ascii('PK');

    $frecord=getHexStringValue('0304');

    $pkbytes=getBinaryValueAt($data, 0x0, 2);

    assertTrue($pktag == $pkbytes);

    $recordbytes=getBinaryValueAt($data, 0x2, 2);

    assertTrue($frecord == $recordbytes);

    $cryptByte=getBinaryValueAt($data, 0x6, 1);

    $encrypted=mod($cryptByte, 2);

    assertTrue($encrypted == 1);

Once you have created a signature, staret to test it against other files to male sure you have it right!!

You will need to use the tool and provide it as many different document types as possible, this is to verify that the signature you create will ONLY find the documents you are looking for. So include doc, ppt, xls, pdf, dll, mp3, exe, vsd, and what ever common files that are out there as part of your example set.

Enclosed are a couple example documents/instructions that I have created over the years for customers, if you need some consulting help on this, I am available.

Good luck!

AttachmentSize
Custom File Type Detection Scripts.docx 32.51 KB
SampleScriptsforField.pdf 9.67 KB

Please make sure to mark this as a solution

to your problem, when possible.

DLP Solutions2's picture

If this was helpful please call this question closed ! You can also send me questions directly at info@dlp-solutions.com

Please make sure to mark this as a solution

to your problem, when possible.