[squid-users] blocking certain file types by content

Rafael Akchurin rafael.akchurin at diladele.com
Sun Dec 13 17:09:42 UTC 2015

Hello Markus,

Indeed you need to have an ICAP server for example. The one I represent can "look into first 256 bytes" of the stream to block by real contents as indicated on http://docs.diladele.com/administrator_guide_4_3/web_filter/policies/blocking_file_downloads.html.

Of course any other ICAP server will do the same job too.
One possible is "greasy spoon icap" server.

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Markus
Sent: Sunday, December 13, 2015 1:32 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] blocking certain file types by content

I'm wondering if it is possible to detect (and block) certain files by its header/content  like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning of any EXE/DLL file.


I'm trying to protect my internal network against unconsciously downloading executable files (like malware). All users traffic pass through our Squid proxy.

What I've already done is:

1. Blocking by URL (url contains \.exe \.dll and other banned extensions) 2. Blocking by server's response header (MIME-type , Content-Disposition and so on.)

But there is still a way to download an executable file when somebody put it on server as e.g. readme.txt. Server's response header would be in this case 'Content-Type: text/html;'.

So none of above mentioned rules would block this file. Of course, a regular Web browser would show this EXE as text, which isn't dangerous. But we can imagine a dedicated downloader (e.g. a part of the malware) which can download binary code this way.

So, tell me guys, if there is any solution for this?

I could also use "Snort", but it would be very inflexible (I would like to have a whitelist of domains).

even if it's possible, what about performance in real environment?
maybe there's a way to analyze only the first bytes of the incoming stream?


if the string 'MZ' is too short, we can also use 'This program cannot be run in DOS mode' (this string is also part of EXE header). But probably a majority of exe packers can compress it.
squid-users mailing list
squid-users at lists.squid-cache.org

More information about the squid-users mailing list