[squid-users] blocking certain file types by content

Yuri Voinov yvoinov at gmail.com
Sun Dec 13 20:47:12 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Finally,

14.12.15 2:22, Markus пишет:
> hi,
> thanks for your help guys. I suspected that ICAP will be necessary.
> but I thought that even ICAP checks it only by the file extension or
> by server response (mime-type). Surprisingly Diladele is able to check

Think more. ALL ICAP solutions checks content. Diladele is not only
solution which checks content.

> the first bytes of file content, which is exactly what I wanted.
> On the other hand I don't want to check exe files by external AV for 2
reasons
> 1. I don't believe in its effectiveness :)
> 2. each user has an comercial AV on his PC

You need to learn - not all commercial anti-virus software detects all.
And vice versa. Therefore, even if an external antivirus control reduces
the probability of malware  penetration just twice - it should be used.

Also, remember one thing. Caching Proxy can be infected - and then you
get a large-scale epidemic, regardless used on the client computer
antivirus software or not.

I have encountered similar situations in the past and they usually lead
to large-scale network failures.

> As I said in the first post - I already block exe files by squid ACL.

You really think executable files can have only known extension?

> Now I'm afraid that some malware software can get through web/http by
> omitting this ACL (will be downloaded as jpg).

Sure. That is why you will be forced to use only one really existing
solution.

>
> thanks. Now I have to read more about available ICAP servers :)
>
> On Sun, Dec 13, 2015 at 7:32 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
>>
> For malware checking we have two working (and performance) solutions:
>
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP
>
> No need to block any and all executables in the world. Just enough to
> check it with AV-engine. ;)
>
> 13.12.15 18:31, Markus пишет:
> >>> I'm wondering if it is possible to detect (and block) certain files by
> >>> its header/content  like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning
> >>> of any EXE/DLL file.
> >>>
> >>> Purpose:
> >>>
> >>> I'm trying to protect my internal network against unconsciously
> >>> downloading executable files (like malware). All users traffic pass
> >>> through our Squid proxy.
> >>>
> >>> What I've already done is:
> >>>
> >>> 1. Blocking by URL (url contains \.exe \.dll and other banned
extensions)
> >>> 2. Blocking by server's response header (MIME-type ,
> >>> Content-Disposition and so on.)
> >>>
> >>> But there is still a way to download an executable file when somebody
> >>> put it on server as e.g. readme.txt. Server's response header would be
> >>> in this case 'Content-Type: text/html;'.
> >>>
> >>> So none of above mentioned rules would block this file. Of course, a
> >>> regular Web browser would show this EXE as text, which isn't
> >>> dangerous. But we can imagine a dedicated downloader (e.g. a part of
> >>> the malware) which can download binary code this way.
> >>>
> >>> So, tell me guys, if there is any solution for this?
> >>>
> >>> I could also use "Snort", but it would be very inflexible (I would
> >>> like to have a whitelist of domains).
> >>>
> >>> even if it's possible, what about performance in real environment?
> >>> maybe there's a way to analyze only the first bytes of the incoming
> >>> stream?
> >>>
> >>> greetings
> >>> Markus
> >>>
> >>> PS
> >>> ----
> >>> if the string 'MZ' is too short, we can also use 'This program cannot
> >>> be run in DOS mode' (this string is also part of EXE header). But
> >>> probably a majority of exe packers can compress it.
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> squid-users at lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users
>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWbdlQAAoJENNXIZxhPexGJTUH/2DC/xG9EsI5oR0VHJsKuoid
2gYed3/wEq1uA2VJCZVe2Cbnr9mEkA25Kg6xEUoMUVNGI8zRGimt1BSiXk5HK+7G
P0B588oY3R5TpgwwREmF6ZKnqgX6X0weORM2QzEwS0K/FiWOY05LJ4XoX32lqIfq
fYokJ2MCtgvRFtXA7vKxokHA5IyG5xgKf4fYfDnXY2wN+yCaYj2GqACpzfNzn9xn
Zbiqf1DH0S5hIEac5n1Z5oPmEjcEUgVlkeJ8i8nCCIdsinBAhYVC9TCK9ZDJymuF
1IkBHHJAyj5UoJHOB2k1Nkihx4faRfdLc2rTcNkzXvT34kXjUbXFfvEkz0UYUkU=
=fk/o
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151214/1174d5b5/attachment-0001.html>

More information about the squid-users mailing list