[squid-users] blocking certain file types by content

Sun Dec 13 21:39:19 UTC 2015

Yuri Voinov wrote:

> Think more. ALL ICAP solutions checks content. Diladele is not only solution which checks content.
[...]

> You really think executable files can have only known extension?

My way of thinking was like that:
instead of testing with AV each .exe or .zip file better block it out
(except for whitelist domains). Because testing with AV needs CPU/RAM.
But as we already established - executables can be downloaded as JPG
/TXT or whatever. If so - AV makes only sense if we test every kind of
extensions/streams. Right?

let's consider such possible case:

here we have putty.exe (without virus ;-) , but saved as txt file:

http://6web.pl/~mserafin/putty.txt

now we can just download it and change extension for exe. My question is -
can ICAP-Clamav detect that it's windows executable and block it?
(even without testing against viruses)?

and here more complicated case:

http://6web.pl/~mserafin/putty_zip.txt   (it's a regular ZIP file with
putty.exe inside)

Can ICAP-Clamav deal with it?

thx!

On Sun, Dec 13, 2015 at 9:47 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Finally,
>
> 14.12.15 2:22, Markus пишет:
>> hi,
>> thanks for your help guys. I suspected that ICAP will be necessary.
>> but I thought that even ICAP checks it only by the file extension or
>> by server response (mime-type). Surprisingly Diladele is able to check
>
> Think more. ALL ICAP solutions checks content. Diladele is not only solution
> which checks content.
>
>> the first bytes of file content, which is exactly what I wanted.
>> On the other hand I don't want to check exe files by external AV for 2
>> reasons
>> 1. I don't believe in its effectiveness :)
>> 2. each user has an comercial AV on his PC
>
> You need to learn - not all commercial anti-virus software detects all. And
> vice versa. Therefore, even if an external antivirus control reduces the
> probability of malware  penetration just twice - it should be used.
>
> Also, remember one thing. Caching Proxy can be infected - and then you get a
> large-scale epidemic, regardless used on the client computer antivirus
> software or not.
>
> I have encountered similar situations in the past and they usually lead to
> large-scale network failures.
>
>> As I said in the first post - I already block exe files by squid ACL.
>
> You really think executable files can have only known extension?
>
>> Now I'm afraid that some malware software can get through web/http by
>> omitting this ACL (will be downloaded as jpg).
>
> Sure. That is why you will be forced to use only one really existing
> solution.
>
>>
>> thanks. Now I have to read more about available ICAP servers :)
>>
>> On Sun, Dec 13, 2015 at 7:32 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
>>>
>> For malware checking we have two working (and performance) solutions:
>>
>> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
>> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP
>>
>> No need to block any and all executables in the world. Just enough to
>> check it with AV-engine. ;)
>>
>> 13.12.15 18:31, Markus пишет:
>> >>> I'm wondering if it is possible to detect (and block) certain files by
>> >>> its header/content  like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning
>> >>> of any EXE/DLL file.
>> >>>
>> >>> Purpose:
>> >>>
>> >>> I'm trying to protect my internal network against unconsciously
>> >>> downloading executable files (like malware). All users traffic pass
>> >>> through our Squid proxy.
>> >>>
>> >>> What I've already done is:
>> >>>
>> >>> 1. Blocking by URL (url contains \.exe \.dll and other banned
>> >>> extensions)
>> >>> 2. Blocking by server's response header (MIME-type ,
>> >>> Content-Disposition and so on.)
>> >>>
>> >>> But there is still a way to download an executable file when somebody
>> >>> put it on server as e.g. readme.txt. Server's response header would be
>> >>> in this case 'Content-Type: text/html;'.
>> >>>
>> >>> So none of above mentioned rules would block this file. Of course, a
>> >>> regular Web browser would show this EXE as text, which isn't
>> >>> dangerous. But we can imagine a dedicated downloader (e.g. a part of
>> >>> the malware) which can download binary code this way.
>> >>>
>> >>> So, tell me guys, if there is any solution for this?
>> >>>
>> >>> I could also use "Snort", but it would be very inflexible (I would
>> >>> like to have a whitelist of domains).
>> >>>
>> >>> even if it's possible, what about performance in real environment?
>> >>> maybe there's a way to analyze only the first bytes of the incoming
>> >>> stream?
>> >>>
>> >>> greetings
>> >>> Markus
>> >>>
>> >>> PS
>> >>> ----
>> >>> if the string 'MZ' is too short, we can also use 'This program cannot
>> >>> be run in DOS mode' (this string is also part of EXE header). But
>> >>> probably a majority of exe packers can compress it.
>> >>> _______________________________________________
>> >>> squid-users mailing list
>> >>> squid-users at lists.squid-cache.org
>> >>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJWbdlQAAoJENNXIZxhPexGJTUH/2DC/xG9EsI5oR0VHJsKuoid
> 2gYed3/wEq1uA2VJCZVe2Cbnr9mEkA25Kg6xEUoMUVNGI8zRGimt1BSiXk5HK+7G
> P0B588oY3R5TpgwwREmF6ZKnqgX6X0weORM2QzEwS0K/FiWOY05LJ4XoX32lqIfq
> fYokJ2MCtgvRFtXA7vKxokHA5IyG5xgKf4fYfDnXY2wN+yCaYj2GqACpzfNzn9xn
> Zbiqf1DH0S5hIEac5n1Z5oPmEjcEUgVlkeJ8i8nCCIdsinBAhYVC9TCK9ZDJymuF
> 1IkBHHJAyj5UoJHOB2k1Nkihx4faRfdLc2rTcNkzXvT34kXjUbXFfvEkz0UYUkU=
> =fk/o
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>