New York Data Loss Prevention User Group

Is there a way to identify embedded Excel files in PowerPoint or Word documents?

I am not sure but I do get events where a excel is imbedded in a word doc.
Should be possible..

When the Scan server sees a file, it looks at the file as plain text.
When you inject an excel file into a word, it is still visible at plain text, and you could scan it as well.
keep in mind that if the user injected something (lets say excel) into a word document, the incident would show that winword is the cause of the incident, so look closely inside the document so that you will find the injected content, and don't discard incidents just because they seem odd.

Kind Regards,
Naor Penso

Our experience is that Vontu/Symantec DLP will find policy-matching data in Word or Excel files, even if they are embedded in other Office files, including PowerPoint, as long the file is not password-protected/encrypted. In the incident snapshot, we usually see the highlighted matches under a file name like "ext83017_kv0.tmp". This name apparently reflects a temp file created by Vontu when scanning through embedded files.

Unfortunately, at least in v9, getting more detail appears to require manual detective work. There doesn't seem to be any way to quickly see the actual name of the embedded file or its container (where there are multiple attachments, etc.). But, if Vontu can see the content, so can we -  it just might take some work and experience to find it.

Once you locate the embedded document, it still may take some work to locate the matching content. In Excel, checking for hidden rows/columns, or even whole sheets, usually reveals. But, we've seen white-on-white text, 1-pt. text, and other user "tricks".