How to set up File Type Mis-Match based detection - Email & Web Uploads inorder to detect User behavior or violations by trying to circumvent controls by changing the file type (extn).
For example, if a user changes the .pdf or .zip file name extension to .txt and emails the file, the detection engine can still register a match because it checks the binary signature of the file to detect it as the actual file type and trip the rule/policy. How to use this feature to detect and report any instances (web/email) where there is a filetype mismatch?
unfortunately you cant define rule with a negative operator (like filename extension not equal to pptx). But you can define kind of rule you want by looking for different file names. For example, for powerpoint document you can define a compound rule like:
File type equal Powerpoint presentation
filename equals to *.txt,*.zip,*.pdf,*.jpg,*.gif
Thanks for the info. The use case I have is bit different. I am trying to to detect User behavior or violations who circumvent controls by changing the file type (extn). For eg, a User trying to send out an archive file such as *.zip as a text file by changing the file type to *.txt.
In Symantec DLP, the detection engine can register a filetype match because it checks the binary signature of the file to detect it as the actual file type but can it trip a particular the rule/policy? How to use this feature to detect and report any instances (web/email) where there the filetype has been changed by the user?
I believe that Stephane answer is also right for your 2nd comment. <o:p></o:p>
If you create a rule to detect "Message Attachment or File Type Match" the DLP Symantec is using the magic bytes (file sign) of the file to know what’s the expected file type. If you create a detection that detects the .zip ("Message Attachment or File Type Match" = Encapsulation Formats) and at same time detects "file name match" = *.txt it means that the end-user change the encapsulated format to a.txt.
Yes for sure. I understood. But the challenge is, we then have to create a rule for each file type of interest and then verify if the file type matched the actual file type.
Or is there a means to avoid multiple rule by employing one rule or expolit a feature in DLP which can alert the investigator to highlight that a particular user changed the file type from *.abc to *.xyz
Yes and No. You need to create a set o rules but you don't need to "verify" because if the DLP policy with that set rules (file type match + file name match) triggers an incident you already know that someone or some application changed the original extension of the file. So you only need to setup one policy with the formats you are looking for.
I would set the policy without response rules, only logging the actions.