<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
<br>
<br>
14.12.15 2:22, Markus пишет:<br>
<span style="white-space: pre;">> hi,<br>
> thanks for your help guys. I suspected that ICAP will be
necessary.<br>
> but I thought that even ICAP checks it only by the file
extension or<br>
> by server response (mime-type). Surprisingly Diladele is able
to check<br>
> the first bytes of file content, which is exactly what I
wanted.</span><br>
<br>
ICAP-Clamav solution does the same. You can adjust it as you wish.<br>
<br>
<span style="white-space: pre;">> On the other hand I don't want
to check exe files by external AV for 2 reasons<br>
> 1. I don't believe in its effectiveness :)</span><br>
Faith is not an option. Practical applications for several years
proved their effectiveness. Of course, a matter of personal faith
can deny a personal experience.<br>
<br>
<span style="white-space: pre;">> 2. each user has an comercial
AV on his PC</span><br>
<br>
So what? This does not preclude the need to filter Internet
content. Practice shows that one does not exclude the other.<br>
<br>
<span style="white-space: pre;">> As I said in the first post - I
already block exe files by squid ACL.<br>
> Now I'm afraid that some malware software can get through
web/http by<br>
> omitting this ACL (will be downloaded as jpg).</span><br>
<br>
With this purpose and is used ICAP/eCAP solution(s).<br>
<br>
<span style="white-space: pre;">><br>
> thanks. Now I have to read more about available ICAP servers
:)<br>
><br>
> On Sun, Dec 13, 2015 at 7:32 PM, Yuri Voinov
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><yvoinov@gmail.com></a> wrote:<br>
>><br>
> For malware checking we have two working (and performance)
solutions:<br>
><br>
>
<a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP">http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP</a><br>
>
<a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP">http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP</a><br>
><br>
> No need to block any and all executables in the world. Just
enough to<br>
> check it with AV-engine. ;)<br>
><br>
> 13.12.15 18:31, Markus пишет:<br>
> >>> I'm wondering if it is possible to detect (and
block) certain files by<br>
> >>> its header/content like 'MZ' (0d 0a 0d 0a 4d
5a) which is a beginning<br>
> >>> of any EXE/DLL file.<br>
> >>><br>
> >>> Purpose:<br>
> >>><br>
> >>> I'm trying to protect my internal network
against unconsciously<br>
> >>> downloading executable files (like malware). All
users traffic pass<br>
> >>> through our Squid proxy.<br>
> >>><br>
> >>> What I've already done is:<br>
> >>><br>
> >>> 1. Blocking by URL (url contains \.exe \.dll and
other banned extensions)<br>
> >>> 2. Blocking by server's response header
(MIME-type ,<br>
> >>> Content-Disposition and so on.)<br>
> >>><br>
> >>> But there is still a way to download an
executable file when somebody<br>
> >>> put it on server as e.g. readme.txt. Server's
response header would be<br>
> >>> in this case 'Content-Type: text/html;'.<br>
> >>><br>
> >>> So none of above mentioned rules would block
this file. Of course, a<br>
> >>> regular Web browser would show this EXE as text,
which isn't<br>
> >>> dangerous. But we can imagine a dedicated
downloader (e.g. a part of<br>
> >>> the malware) which can download binary code this
way.<br>
> >>><br>
> >>> So, tell me guys, if there is any solution for
this?<br>
> >>><br>
> >>> I could also use "Snort", but it would be very
inflexible (I would<br>
> >>> like to have a whitelist of domains).<br>
> >>><br>
> >>> even if it's possible, what about performance in
real environment?<br>
> >>> maybe there's a way to analyze only the first
bytes of the incoming<br>
> >>> stream?<br>
> >>><br>
> >>> greetings<br>
> >>> Markus<br>
> >>><br>
> >>> PS<br>
> >>> ----<br>
> >>> if the string 'MZ' is too short, we can also use
'This program cannot<br>
> >>> be run in DOS mode' (this string is also part of
EXE header). But<br>
> >>> probably a majority of exe packers can compress
it.<br>
> >>> _______________________________________________<br>
> >>> squid-users mailing list<br>
> >>> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> >>>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
>><br>
>> _______________________________________________<br>
>> squid-users mailing list<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
>> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJWbdeOAAoJENNXIZxhPexGV2gIAM0nXZAMeD2QNuGaU3i5outm
<br>
rDWOhVbSglJwZU+2TX+Wr/mg23zyTEMZDvWGWmnatwgOeFF6VRiZBhkAwfxSZxd0
<br>
c2CSIXLEU+XtSswy02FONzBakjXsuPlR+WwwvadlextCTeMejS0uTDiAEKhtaS3+
<br>
S8pjlVl1bbGYDvhNoDp0E1Koq8/r69dzxs0mZE1p23gRPcQ2skadyjwpxn8Om88x
<br>
gF1J2Vy2JjcTM15ZmM8VkDxwXb9XVmxCCdunOMHm5yxWyLkAd6jlzqVX8IYDJdMX
<br>
8jr+B3mNkd4ZkU8Cp6rJ37jJsuowplYO/DGHWzgAS3csUp6occBu6VizGIjZn+0=
<br>
=6vxB
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>