[squid-users] blocking certain file types by content
markus.bytom.pl at gmail.com
Sun Dec 13 12:31:39 UTC 2015
I'm wondering if it is possible to detect (and block) certain files by
its header/content like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning
of any EXE/DLL file.
I'm trying to protect my internal network against unconsciously
downloading executable files (like malware). All users traffic pass
through our Squid proxy.
What I've already done is:
1. Blocking by URL (url contains \.exe \.dll and other banned extensions)
2. Blocking by server's response header (MIME-type ,
Content-Disposition and so on.)
But there is still a way to download an executable file when somebody
put it on server as e.g. readme.txt. Server's response header would be
in this case 'Content-Type: text/html;'.
So none of above mentioned rules would block this file. Of course, a
regular Web browser would show this EXE as text, which isn't
dangerous. But we can imagine a dedicated downloader (e.g. a part of
the malware) which can download binary code this way.
So, tell me guys, if there is any solution for this?
I could also use "Snort", but it would be very inflexible (I would
like to have a whitelist of domains).
even if it's possible, what about performance in real environment?
maybe there's a way to analyze only the first bytes of the incoming
if the string 'MZ' is too short, we can also use 'This program cannot
be run in DOS mode' (this string is also part of EXE header). But
probably a majority of exe packers can compress it.
More information about the squid-users