[squid-users] blocking certain file types by content

Rafael Akchurin rafael.akchurin at diladele.com
Sun Dec 13 17:09:42 UTC 2015 

Hello Markus,

Indeed you need to have an ICAP server for example. The one I represent can "look into first 256 bytes" of the stream to block by real contents as indicated on http://docs.diladele.com/administrator_guide_4_3/web_filter/policies/blocking_file_downloads.html.

Of course any other ICAP server will do the same job too.
One possible is "greasy spoon icap" server.

Best regards,
Rafael Akchurin
Diladele B.V.



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Markus
Sent: Sunday, December 13, 2015 1:32 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] blocking certain file types by content

I'm wondering if it is possible to detect (and block) certain files by its header/content  like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning of any EXE/DLL file.

Purpose:

I'm trying to protect my internal network against unconsciously downloading executable files (like malware). All users traffic pass through our Squid proxy.

What I've already done is:

1. Blocking by URL (url contains \.exe \.dll and other banned extensions) 2. Blocking by server's response header (MIME-type , Content-Disposition and so on.)

But there is still a way to download an executable file when somebody put it on server as e.g. readme.txt. Server's response header would be in this case 'Content-Type: text/html;'.

So none of above mentioned rules would block this file. Of course, a regular Web browser would show this EXE as text, which isn't dangerous. But we can imagine a dedicated downloader (e.g. a part of the malware) which can download binary code this way.

So, tell me guys, if there is any solution for this?

I could also use "Snort", but it would be very inflexible (I would like to have a whitelist of domains).

even if it's possible, what about performance in real environment?
maybe there's a way to analyze only the first bytes of the incoming stream?

greetings
Markus

PS
----
if the string 'MZ' is too short, we can also use 'This program cannot be run in DOS mode' (this string is also part of EXE header). But probably a majority of exe packers can compress it.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list