You need a tool named File Analyzer to create script to detect your custom file type.

You can contact your Sales/SE for this tool.

Plesea see the below links for getting idea of your query

https://www-secure.symantec.com/connect/forums/det...

Hello atif,

First you need to know file signature (aka magic bytes) of your file type (you can find most of them on internet). Then you can use example available in documentation "Symantec_DLP_11.1_Detection_Customization_Guide.pdf" and customize them based on magic byte you are looking for based on position and binary value of what you are looking for.

 regards.

Hello All, I have gone through entire guide and also generate the ASCII output by file type analyzer. Problem is to create the script to detect common feilds in signature :)

Hi Atif, 

Actually u dont need any script for ur above requirement as u just need to add ur reqquirement in DLP policies for detecting predifined file type,filename or u can add the filetype/name which is not there.

In preveious company, we had checked marked on multimedia file type and there are some file type which is absent we added manually. So as per this u go to policies and add such file type detection. 

 Also I am providing you refrence below

Symantec_DLP_10.­5_Custom_File_Ty­pe_Detection_Gui­de.­pdf

https://www-secure.symantec.com/connect/forums/enc...

https://www-secure.symantec.com/connect/forums/dlp...

https://www-secure.symantec.com/connect/forums/det...

Hi Atif,

dont need any scripting to detect custom filtyp.

just go the policy or in agent config to mark filetype u want to detect or add custome filetype.

Hello Sharma,

I definitely need to write a script as how can i define a file type on DLP enforce without adding its script?

All..

As a former Vontu Employee and one who wrote most the custom file type detection signatures, you will need to spend some time on learning the process. It is not super easy, but it is not rocket science either. It is technical and you have to understand Ascii, Binary and Hex file structures.

It will take you sometime to create each signature.

The first issue I see people have a problem with is the File Name Filter:

•  Note: Use the following in the "File Name Filter":
•  [\w\s]+.[\w]+ : this will ONLY be able to read ascii filenames
• or
• [^0x00]+.[\w]+ : This will be able to read non-ascii filenames

Next is to start the signature creation process:

• Add a directory that has as many of the same file types that you are trying to create the File Signature for.
• You will need to decide how you want to look at the files (Binary, Ascii, or Number)
• This will allow you to 'see' the similarities of the file, and create the signature.
• Use the "Column_Match" drop down and click the "Analyze Table Data" at the bottom of the screen
• This will show you which 'Bytes" of the files are the same. You can then create the signature based off of these items.

Then it's all about creating a signature that matches your criteria, by using get statements, if/else statements and assert true or false

• ALWAYS KEEP IN MIND WHETHER YOU ARE USING HEX, BINARY with statements.
• Starting at Byte "15" and then the next "4" bytes has to be = to  "52617221" (Keep in mind that in Binary each byte is 2 numbers)
• Here is on for Password protected ZIP files:

• $pktag=ascii('PK');

  $frecord=getHexStringValue('0304');

  $pkbytes=getBinaryValueAt($data, 0x0, 2);

  assertTrue($pktag == $pkbytes);

  $recordbytes=getBinaryValueAt($data, 0x2, 2);

  assertTrue($frecord == $recordbytes);

  $cryptByte=getBinaryValueAt($data, 0x6, 1);

  $encrypted=mod($cryptByte, 2);

  assertTrue($encrypted == 1);

Once you have created a signature, staret to test it against other files to male sure you have it right!!

You will need to use the tool and provide it as many different document types as possible, this is to verify that the signature you create will ONLY find the documents you are looking for. So include doc, ppt, xls, pdf, dll, mp3, exe, vsd, and what ever common files that are out there as part of your example set.

Enclosed are a couple example documents/instructions that I have created over the years for customers, if you need some consulting help on this, I am available.

Good luck!

If this was helpful please call this question closed ! You can also send me questions directly at info@dlp-solutions.com