We are using a Web gateway 7.1 and would like to block all executables including .com files.
We see that they gateway does not have the .com in the application catorogy list.
Currently i have the bellow rule set for "request", "responses" and "embedded objects"
MediaType.FromFileExtension contains .com
MediaType.FromFileExtension contains application/octet-stream
MediaType.FromFileExtension contains text/plain
That is working fine and blocking .com files
a .txt file also has a text/plain mime and these are blocked now is well.
So the question is:
is it possible to block .com file and let .txt files not?
-> Extra info
i tried google, searching the KB but did not find anything.
You can try adding an exception for .txt file by using property "MediaType.FromFileExtension" >> contains >> .txt.
You can eitther create this exception a very top rule in the rule set with the action "Stop rule set" or in Rule set criteria itself with an "And" function.
For that we can add one more proeporty : MediaType. MagicBytesMismatch in conjunction to MediaType.FromFileExtension ("And" function inthe same rule criteria).
MediaType. MagicBytesMismatch is a boolean type and below is the description:
If true, the media type specified in the header sent with the media does not match the type that was found on the appliance by examining the magic bytes actually contained in the media
This will ensure that if someone renames the file to .txt the magic bytes mistmatch in the same rule criteria will not allow to pass through.
This is just for clarification...
In general, reliable detection of .com files isn't possible without performance degradation. This happens because .com file is just set of bytes, that is loaded into memory at specific addresses. And sometime, they could look like normal text file. For normal text files we're performing some kind of character frequency analysis, to distinguish them from binary files.
From my experience I can say, that rules above could produce a lot of false positives, for example, match binary content in MS Office files, or something like.
P.S. Do we have any modern malware in the .com format? I thought, that they all finished to exist
I've talked about theoretical possibility, not existing implementation...
What is the real need for blocking .com files? most of .com files that I found in Windows, are standard MZ-format executables.
You can try to write rule like, if MediaType.EnsuredTypes not equal to MediaType.FromExtension, then block - it will block all files, whose media types aren't matched to given file extension. Or you can use MediaType.MagicBytesMismatch to check detected mime type against mime type sent by server
Also remember that "MediaType.MagicBytesMismatch" rule or "MediaType.EnsuredTypes not equal to MediaType.FromExtension" rule should be before whitelist rule "MediaType.FromFileExtension" >> contains >> .txt."