You are attempting to detect files by file name when scanned by the Symantec Protection Engine (SPE) product. After adding a file name to Policies > Filtering > Files in the Protection Engine GUI to be blocked the file was successfully detected. However, after adding the same filename to a container such as Example.zip the file is no longer detected.
When scanning inside of container files the full file name path is concatenated and treated as the file name.
Parent.zip #Name of the parent file when scanned.
Parent.zip/Parent/Child1.extension #Name of the first child object when scanned
Parent.zip/Parent/Child1.zip/Child1/Child2.extension #Name of the second child object when scanned.
Symantec Protection Engine will evaluate the top level container as the displayed filename. However, if a container is a child object the filename is concatenated from the whole path and will not be detected.
Symantec Protection supports wildcard characters and is case insensitive.
* zero or more of any character
? any single character
To ensure detection of a specific file name at any container depth an Asterisk should preclude all filenames you wish to detect. This will allow for detection at the top level as Asterisk characters are treated as 0 or more characters.
If you have a filename that has a known length with a changing value such as a numbered object you can leverage the Question mark.
Example: (FileName1234.txt) *filename????.txt
Finally, if you most of a filename but do not know the extension or potentially the full filename you can leverage Asterisk on each side of the file. Keep in mind if the known part is common this could be dangerous.
- Likely Safe: *filename_1234.xl* #This would find .xls, .xlsx, .xlsm extensioned files named filename_1234
- Less Safe: *filename*.xl* #Will find any iteraction of "filename" with a .xl* extension.
- Dangerous: *filename* #If "filename" is common this will find all iterations. Can take unwanted action against some files.
Subscribing will provide email updates when this Article is updated. Login is required.