Data Loss Prevention

Data Loss Prevention (DLP) - Create custom file types

Hi,

This article will cover the process that is required to create a custom file type signature in DLP. This is traditionally used for Zip files on Endpoint but can be used for most file types that are not automatically detected by DLP.

In this example, we're going to use a PDF document as a target type. Even though it's already detectable, I thought this was a good example to show how to create an accurate CFTS.

This is something i've had to do a couple of times now, it's proven a very useful toolset.

1. Install the fileanalyer_windows-x64_4_0_1.exe from C:\[path to installation files]\Symantec_DLP_15.0_Platform_Win-IN_b\DLP\15.0\File_Type_Analyzer
    
2. Populate a directory that has your training set in. In my case, I have a folder that is populated with a number of CSV documents, plus Word, PDF and Zip.
    
3. Navigate to c:\Program File\File Analyzer and execute analyzer_gui.exe (there is a console but GUI is easier to demonstrate)
    
4. You should be shown something like
   
    
5. Select the Add Directory button to open an explorer pane and navigate to your Training set.
    
6. Enter ".*" in the "File Name Filter" section to bring in all documents in your folder - it's regex capable (hence the .* search). If there are documents you don't want to analyse, use the "File Name Filter" option to filter those out using some common regex.
    
7. Change the "Parser Type" option on the right to ASCII. For this file type, this makes it easier to identify which values you need to use.
    
8. Select "Analyze Dataset" at the bottom of the tool. It will not decode the files and show you something like below.
   
   
9. As you can see it has a tab for All and every other file type we have Analyzed.
    
10. As you can see, some of the document types a little more complicated, for example, the docx and xlsx all look the same and come through as protected XML. However, PDF should have a very simple header located under 0x1,0x2,0x3 of P.D.F. We're going to use these values to identify our PDF files.
     
11. For a full description of the code types available to you see the documents listed here for you version https://support.symantec.com/en_US/article.DOC9356.html
     
12. We're going to try and keep this nice and simple. In the Solution pane, enter the following:

    $pdftag=ascii('PDF');
    $pdfbytes=getBinaryValueAt($data, 0x1,3);
    assertTrue($pdftag==$pdfbytes);

               The first line is creating a variable called $pdftag that is holding the value PDF. This is what we are going to compare against.
               The second line is going to the inbuild $data variable (the data stream for the file being interrogated) and from location 2 (0x1), it's getting the next 3 values. 
               The last line is comparing the two values and seeing if they equate. If they do then it's a positive match, otherwise, the files are ignored.

13. We could make this more thorough in this example, but adding in a specific version of PDF as well. now the code is looking for PDF's that only have version 1.5.

    $pdftag=ascii('PDF');
    $pdfbytes=getBinaryValueAt($data, 0x1,3);
    assertTrue($pdftag==$pdfbytes);
    $pdfversion=ascii('1.5');
    $pdfversionreal=getBinaryValueAt($data, 0x5,3);
    assertTrue($pdfversion==$pdfversionreal);

14. Once you have entered your solution code above or something similar, select "Test Solution". This will execute your code against your analyzed dataset and show any Matched Files and Mismatched Files in separate panes. See my example below
    
     
15. If you don't get the required results, test, test and re-test. I've linked the documentation that will definitely be helpful in this below.
16. Now that you have a working solution navigate to your DLP Enforce Server.
17. Navigate to \SymantecDLP\Protect\config
18. Find the line "com.vontu.manager.policy.showcustomscriptrule=true" and change it's value to true
19. Restart the Vontu Manager Service
20. Open your DLP Console and navigate to your policies, either chose to create a new one or edit an existing, you should now see the following option "Custom File Type Signature".
    
21. Selecting this will take you to the Edit rule page where you can then enter your solution script from the File Analyzer. As shown below.
    
22. Selecting Ok will add this to your policy. 
23. You now have a working custom file type rule.

Link to customisation document. https://support.symantec.com/en_US/article.DOC9356.html. Specifically chapter 3.

Thanks,

Kev