Detect password-protected zip files on the DLP Endpoint.
Encrypted file-type detection, by default, is performed by the Endpoint Server.
Available Workaround:
Utilize a 'Custom File Type' signature to detect password-protected .zip files on the Endpoint Server and Endpoint Agent.
Here is the script from the Detection Customization Guide:
$pktag=ascii('PK');
$frecord=getHexStringValue('0304');
$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);
$cryptByte=getBinaryValueAt($data, 0x6, 1);
$encrypted=mod($cryptByte, 2);
assertTrue($encrypted == 1);
Below is an example of using the script.
It is possible that when using the script above, the detection might not work for a compressed folder compared to a compressed file. In case facing that issue, try the script without the last three lines of code:
$pktag=ascii('PK');
$frecord=getHexStringValue('0304');
$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);
When using the above script, it is found to detect every zip file encrypted or not.