[squid-users] blocking certain file types by content

Markus markus.bytom.pl at gmail.com
Sun Dec 13 20:22:20 UTC 2015

thanks for your help guys. I suspected that ICAP will be necessary.
but I thought that even ICAP checks it only by the file extension or
by server response (mime-type). Surprisingly Diladele is able to check
the first bytes of file content, which is exactly what I wanted.
On the other hand I don't want to check exe files by external AV for 2 reasons
1. I don't believe in its effectiveness :)
2. each user has an comercial AV on his PC
As I said in the first post - I already block exe files by squid ACL.
Now I'm afraid that some malware software can get through web/http by
omitting this ACL (will be downloaded as jpg).

thanks. Now I have to read more about available ICAP servers :)

On Sun, Dec 13, 2015 at 7:32 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
> Hash: SHA256
> For malware checking we have two working (and performance) solutions:
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP
> No need to block any and all executables in the world. Just enough to
> check it with AV-engine. ;)
> 13.12.15 18:31, Markus пишет:
>> I'm wondering if it is possible to detect (and block) certain files by
>> its header/content  like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning
>> of any EXE/DLL file.
>> Purpose:
>> I'm trying to protect my internal network against unconsciously
>> downloading executable files (like malware). All users traffic pass
>> through our Squid proxy.
>> What I've already done is:
>> 1. Blocking by URL (url contains \.exe \.dll and other banned extensions)
>> 2. Blocking by server's response header (MIME-type ,
>> Content-Disposition and so on.)
>> But there is still a way to download an executable file when somebody
>> put it on server as e.g. readme.txt. Server's response header would be
>> in this case 'Content-Type: text/html;'.
>> So none of above mentioned rules would block this file. Of course, a
>> regular Web browser would show this EXE as text, which isn't
>> dangerous. But we can imagine a dedicated downloader (e.g. a part of
>> the malware) which can download binary code this way.
>> So, tell me guys, if there is any solution for this?
>> I could also use "Snort", but it would be very inflexible (I would
>> like to have a whitelist of domains).
>> even if it's possible, what about performance in real environment?
>> maybe there's a way to analyze only the first bytes of the incoming
>> stream?
>> greetings
>> Markus
>> PS
>> ----
>> if the string 'MZ' is too short, we can also use 'This program cannot
>> be run in DOS mode' (this string is also part of EXE header). But
>> probably a majority of exe packers can compress it.
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> Version: GnuPG v2
> x3QUJkBytBt+b5UaUNLjf4lod2DlgT2npSXAZGoSynJkbPgKsPGfoRbKYtu88y4R
> 0PYx2OKlZjJu6fA2P6vX8CjfTTm4ZsSf960KjptWCdUEVFsVHGBEQZ5zTg5qcnmW
> MKIdSWbuDUfgFerQyLHbdsWcLL+fBicas87iYidSInFOZ+keFYmf+MsEb1LNalI=
> =nvsX
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list