cancel
Showing results for 
Search instead for 
Did you mean: 
support.bnl
Level 7

Blocking .com extension mime files but not .txt files?

Hi All.

We are using a Web gateway 7.1 and would like to block all executables including .com files.

We see that they gateway does not have the .com in the application catorogy list.

Currently i have the bellow rule set for "request", "responses" and "embedded objects"

MediaType.FromFileExtension contains .com

OR

MediaType.FromFileExtension contains application/octet-stream

OR

MediaType.FromFileExtension contains text/plain

That is working fine and blocking .com files

BUT

a .txt file also has a text/plain mime and these are blocked now is well.

So the question is:

is it possible to block .com file and let .txt files not?

-> Extra info

i tried google, searching the KB but did not find anything.

0 Kudos
8 Replies
hbajaj
Level 9

Re: Blocking .com extension mime files but not .txt files?

You can try adding an exception for .txt file by using property "MediaType.FromFileExtension" >> contains >> .txt.

You can eitther create this exception a very top rule in the rule set with the action "Stop rule set" or in Rule set criteria itself with an "And" function.

0 Kudos
support.bnl
Level 7

Re: Blocking .com extension mime files but not .txt files?

Yes  i considert that, but that would not stop renamed .com file to .txt files.

but fear that it is the only solution.

0 Kudos
hbajaj
Level 9

Re: Blocking .com extension mime files but not .txt files?

For that we can add one more proeporty : MediaType. MagicBytesMismatch in conjunction to MediaType.FromFileExtension ("And" function inthe same rule criteria).

MediaType. MagicBytesMismatch  is a boolean type and below is the description:

If true, the media type specified in the header sent with the media does not match the type that was found on the appliance by examining the magic bytes actually contained in the media

This will ensure that if someone renames the file to .txt the magic bytes mistmatch in the same rule criteria will not allow to pass through.

0 Kudos
alexott
Level 11

Re: Blocking .com extension mime files but not .txt files?

Hi

This is just for clarification...

In general, reliable detection of .com files isn't possible without performance degradation. This happens because .com file is just set of bytes, that is loaded into memory at specific addresses. And sometime, they could look like normal text file. For normal text files we're performing some kind of character frequency analysis, to distinguish them from binary files.

From my experience I can say, that rules above could produce a lot of false positives, for example, match binary content in MS Office files, or something like.

P.S. Do we have any modern malware in the .com format? I thought, that they all finished to exist

0 Kudos
support.bnl
Level 7

Re: Blocking .com extension mime files but not .txt files?

@ alexott

You say it is only possible with performace degradation, but is it possible? please share.

@ Heena Bajaj

I am trying the expetion, but it not giving the correct results

0 Kudos
alexott
Level 11

Re: Blocking .com extension mime files but not .txt files?

I've talked about theoretical possibility, not existing implementation...

What is the real need for blocking .com files? most of .com files that I found in Windows, are standard MZ-format executables.

You can try to write rule like, if MediaType.EnsuredTypes not equal to MediaType.FromExtension, then block - it will block all files, whose media types aren't matched to given file extension. Or you can use MediaType.MagicBytesMismatch to check detected mime type against mime type sent by server

0 Kudos
hbajaj
Level 9

Re: Blocking .com extension mime files but not .txt files?

Can you please paste your rules on this forum?

0 Kudos
hbajaj
Level 9

Re: Blocking .com extension mime files but not .txt files?

Also remember that "MediaType.MagicBytesMismatch" rule or "MediaType.EnsuredTypes not equal to MediaType.FromExtension" rule should be before whitelist rule "MediaType.FromFileExtension" >> contains >> .txt."

0 Kudos