[squid-users] blocking certain file types by content

Yuri Voinov yvoinov at gmail.com
Sun Dec 13 18:32:55 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
For malware checking we have two working (and performance) solutions:

http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP

No need to block any and all executables in the world. Just enough to
check it with AV-engine. ;)

13.12.15 18:31, Markus пишет:
> I'm wondering if it is possible to detect (and block) certain files by
> its header/content  like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning
> of any EXE/DLL file.
>
> Purpose:
>
> I'm trying to protect my internal network against unconsciously
> downloading executable files (like malware). All users traffic pass
> through our Squid proxy.
>
> What I've already done is:
>
> 1. Blocking by URL (url contains \.exe \.dll and other banned extensions)
> 2. Blocking by server's response header (MIME-type ,
> Content-Disposition and so on.)
>
> But there is still a way to download an executable file when somebody
> put it on server as e.g. readme.txt. Server's response header would be
> in this case 'Content-Type: text/html;'.
>
> So none of above mentioned rules would block this file. Of course, a
> regular Web browser would show this EXE as text, which isn't
> dangerous. But we can imagine a dedicated downloader (e.g. a part of
> the malware) which can download binary code this way.
>
> So, tell me guys, if there is any solution for this?
>
> I could also use "Snort", but it would be very inflexible (I would
> like to have a whitelist of domains).
>
> even if it's possible, what about performance in real environment?
> maybe there's a way to analyze only the first bytes of the incoming
> stream?
>
> greetings
> Markus
>
> PS
> ----
> if the string 'MZ' is too short, we can also use 'This program cannot
> be run in DOS mode' (this string is also part of EXE header). But
> probably a majority of exe packers can compress it.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWbbnXAAoJENNXIZxhPexGUeYIAJuUrT1HI7kTu2yh/yqyJT6D
r7DXoOmoNOXjLUqNNZDC/wXBQVVXzfDFAYGXCSeUr/EHAhl+UKeNyISEK0LAbb+h
x3QUJkBytBt+b5UaUNLjf4lod2DlgT2npSXAZGoSynJkbPgKsPGfoRbKYtu88y4R
cZSoltP9T2NIZ+IXQVx1ZCz+HF0LKjFRjGt+lHPf26HnpF8CHGelMDL+QBgeA+B6
0PYx2OKlZjJu6fA2P6vX8CjfTTm4ZsSf960KjptWCdUEVFsVHGBEQZ5zTg5qcnmW
MKIdSWbuDUfgFerQyLHbdsWcLL+fBicas87iYidSInFOZ+keFYmf+MsEb1LNalI=
=nvsX
-----END PGP SIGNATURE-----



More information about the squid-users mailing list