Data Loss Prevention

Trying to generate the script for Symantec Data Loss Prevention custom file type detection.

The File Type Analyzer ulitlity gives me the following result on "magic bytes":

Then I did make the script:

$Int1 = getHexStringValue('EE01');
$Int2 = getBinaryValueAt($data, 0x50, 2);
assertTrue($Int1 == $Int2);
$Int3 = getHexStringValue('F201');
$Int4 = getBinaryValueAt($data, 0x52, 2);
assertTrue($Int3 == $Int4);

Putting it in the Solution field and pressing the Test Solution doesn't detect files. Where is the mistake in the script?

Do you have any screenshot of your Analyzer when testing this solution?

Hi,

 First, You can have only one condition using a script like this :

$Int1 = getHexStringValue('EE01F201');
$Int2 = getBinaryValueAt($data, 0x50, 4);
assertTrue($Int1 == $Int2);

But it is very strange your script doesnt work as i tested it with my test platform (DLP v11.6.3) and it works fine. May be your issue is not at the script level (does your policy active ?, does your test email ok ?, does your test platform working fine ?)

 usually when i test a new detection rule, i always add a basic rule in the policy (like a simple keyword that i put in my email) so like that i know that email must raise an incident (which confirm me that policy and test platform and email are ok) and i check if the new rule has matched or not.

 regards

I have added the screenshot to the problem description actually. The magic bytes one.

Stephane, thank you

Right now I am only testing the solution in a File Analyzer Utility. The script works only with the first bytes of the file. It is like if I put 0x0 in the second line parameters in your example (where EE01F201 is some other data):

$Int1 = getHexStringValue('EE01F201');
$Int2 = getBinaryValueAt($data, 0x0, 4);
assertTrue($Int1 == $Int2);

Maybe it is some encoding issue?

Sorry i didnt get your point that you were tested in file type analyzer.

Take care that file type analyzer is not working with All file content it is limited to few first set of parameters. I dont remember excatly how, but that why i didnt use it anymore, but rather use a good hex editor and looking for a pattern in all file content (especially also at the end of the file).

Could you please recommend the HEX editor. FTA seem to be really not reliable.

not that easy as it really depends of what you use/like/want but :

- winhex is really complete and have lot of capabilities

- CR-Hexact is simple and light but works fine for identifying pattern (and it is freeware)

 sure there is lot of other HEX editor which can help you but at least i used those two frequently.

Stephane, thank you.

What I did was just adding to the script first 8 bytes of the file. Works fine. Starting from 50 doesn't work and I don't know why.

Resume: If you will use File Type Analyser for creating custom scripts - analyze only the first bytes of the file with the chunk size 1024. This approach works fine. Tested.