Data Loss Prevention

 View Only

  • 1.  DCM for RAR

    Posted Aug 07, 2015 09:33 AM

    Hi everyboby,

    I Have the custom detection to RAR, I create a  RAR.fgi using the Analyzer utility, but I don´wt know how to import (use) on DLP.

    Can some one help me, please?? :(

    Thank you so much!!
     

     

     

    Title
    Scripts for Custom File type detection of Password protected WinRAR and 7zip files

     

     

     

    Issue
    Scripts for Custom File type detection of Password protected WinRAR and 7zip files

     

     

     

     

     

    Solution
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Winrar password protected (file name not encrypted)
     
    $First4rarTag=getHexStringValue('52617221');
    $First4rarBytes=getBinaryValueAt($data, 0x0, 4);
    assertTrue($First4rarTag == $First4rarBytes);
    $Second3rarTag=getHexStringValue('1A0700');
    $Second3rarBytes=getBinaryValueAt($data, 0x4, 3);
    assertTrue($Second3rarTag == $Second3rarBytes);
    $EncryptedrarTag=getHexStringValue('80');
    $EncryptedrarBytes=getBinaryValueAt($data, 0xA, 1);
    $FileHeaderFlags = getBinaryValueAt($data, 0x18, 1);
    $modedValue = mod($FileHeaderFlags, 8);
     
    if ($modedValue >=4)
    {
    assertTrue($modedValue >= 4);
    }
    else
    {
    assertTrue($EncryptedrarBytes == $EncryptedrarTag);
    }
     
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    7zip password proteced
     
    $First7zipTag=getHexStringValue('377ABCAF');
    $First7zipBytes=getBinaryValueAt($data, 0x0, 4);
    assertTrue($First7zipTag == $First7zipBytes);
    $Second7zipTag=getHexStringValue('271C0003');
    $Second7zipBytes=getBinaryValueAt($data, 0x4, 4);
    assertTrue($Second7zipTag == $Second7zipBytes);
    $Encrypted7zipTag=getHexStringValue('00000000');
    $Encrypted7zipBytes=getBinaryValueAt($data, 0x10, 4);
    assertTrue($Encrypted7zipTag == $Encrypted7zipBytes);


  • 2.  RE: DCM for RAR
    Best Answer

    Trusted Advisor
    Posted Aug 10, 2015 02:47 AM

    hello

    first you must to activate capability to use custom script by updating following line in manager.properties configuration file (in SymantecDLP\Protect\config directory)

    com.vontu.manager.policy.showcustomscriptrule

    (set it to true). Then restart DLP services.

     After that you should be able to add custom file type signature detection rule (available in file properties section) in your DLP policy. Then you need to paste and copy your script in dedicated text box.

     

     Regards