Data Loss Prevention (DLP) - Create custom file types
Hi,
This article will cover the process that is required to create a custom file type signature in DLP. This is traditionally used for Zip files on Endpoint but can be used for most file types that are not automatically detected by DLP.
In this example, we're going to use a PDF document as a target type. Even though it's already detectable, I thought this was a good example to show how to create an accurate CFTS.
This is something i've had to do a couple of times now, it's proven a very useful toolset.
$pdftag=ascii('PDF'); $pdfbytes=getBinaryValueAt($data, 0x1,3); assertTrue($pdftag==$pdfbytes);
The first line is creating a variable called $pdftag that is holding the value PDF. This is what we are going to compare against. The second line is going to the inbuild $data variable (the data stream for the file being interrogated) and from location 2 (0x1), it's getting the next 3 values. The last line is comparing the two values and seeing if they equate. If they do then it's a positive match, otherwise, the files are ignored.
$pdftag=ascii('PDF'); $pdfbytes=getBinaryValueAt($data, 0x1,3); assertTrue($pdftag==$pdfbytes); $pdfversion=ascii('1.5'); $pdfversionreal=getBinaryValueAt($data, 0x5,3); assertTrue($pdfversion==$pdfversionreal);
Link to customisation document. https://support.symantec.com/en_US/article.DOC9356.html. Specifically chapter 3.
Thanks,
Kev