cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 8
Report Inappropriate Content
Message 1 of 7

Blocking the download of SLK files within archives

Hello,

I want to block ".slk" files on a web gateway, running version 7.8.2.21.

For this I am currently using a rule set which should block all kinds of malicious file types.

In my specific example the rule set looks like this:

2020-07-01 08_11_02-McAfee _ Web Gateway.png

Now to the actual problem; "standalone" slk file downloads are getting blocked correctly, due to the "URL.FileExtension" criteria, which matches the list "Malicious File Type Extensions" which contains the value "slk". However once I try to download slk files which are placed within an archive the download goes through without any issue at all. From my understanding this should not be the case due to the category "MediaType.FromFileExtention contains .slk" + the rule set being enabled for embedded objects.

What am I missing?

Also are there more reliable ways to detect slk files? I did not find a matching MIME type or any other solution in this case.

Regards,

Maik

 

BTW:

"MediaType.FromFileExtention contains slk" (not .slk) does not wort either.

6 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Blocking the download of SLK files within archives

A request/response must run through a rule with event called "Enable Composite Opener<>". By default this is under "Common Rules" > "Enable Opener".

Then MWG is told to extract archives and then it can see the embedded objects.

Further, if it is a HTTPS connection, SSL scanner must be used to break the SSL traffic first to look inside the encrypted session. Otherwise, MWG only sees the URL host (e.g. https://drive.google.com and not https://drive.google.com/download/file.slk).

For troubleshooting, you can use a rule trace. If you have then detected and selected the download URL, you should see on the right side the policy and a number in front of the rules indicating the embedded objects running through the policy which proofs that the opener was called.

So, your rule should also detect the file inside an archive.

Regards,
Marcel Kutrieba
Technical Support Engineer
Highlighted
Level 8
Report Inappropriate Content
Message 3 of 7

Re: Blocking the download of SLK files within archives

Hello Marcel,

Thanks for your reply!

The SSL Scanner is in place and works fine, but even though this is the case the block does not work.

Even clear http connections are not getting scanned, e.g. this one:

http://www.fileformatcommons.com/wp-content/uploads/2015/09/ffc_slk.zip

Also, the composite opener is in place and gets enabled as the parent rule se of the one mentioned in the screenshot of my previous post.

The really weird thing is, that I am not able to see requests to the URL from above in the rule trace central. Just as the web gateway would not be able to see the connection at all, while it is definitely happening and going through it. I can see the access to http://www.fileformatcommons.com/slk-file-format/ where the zip file is linked, but once I click the link on this page (directing to http://www.fileformatcommons.com/wp-content/uploads/2015/09/ffc_slk.zip) nothing happens in the rule trace view.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Blocking the download of SLK files within archives

Looks like a non supported mediatype.

Was this the same file which is being detected when loading unzipped? Because for me it is neither detected standalone nor in a zip.

MediaType from file extension is blank for me even if the file name is correctly ffc.slk and mediatype ensuredtype says text/plain for this file.

I would suggest to open a SR with MWG support providing this example link, a feedback file and rule trace as per below.
Once created, you can PM me the SR number (or mention in SR description that ticket should be redirected to Marcel Kutrieba) so that I can forward this to engineering team to get it cross-checked.

No promise that we get a solution as engineering and other decide what and when something is getting added there.

Regards,
Marcel Kutrieba
Technical Support Engineer
Highlighted
Level 8
Report Inappropriate Content
Message 5 of 7

Re: Blocking the download of SLK files within archives

The "standalone" or unzipped slk file was a different one, however as I have the url file extension detection it just works when ".slk" is found within a URL. 

Regarding your response...

MediaType from file extension is blank for me even if the file name is correctly ffc.slk and mediatype ensuredtype says text/plain for this file.

I think that's basically the issue. From my point of understanding slk files are just plain text files which can get rendered as a script, but only when being opened with Excel. Without Excel it's just a text file with some strings as content. However, thanks again for your help. I will open a SR as suggested by you and upload the mentioned files.

Regards,

Maik

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Blocking the download of SLK files within archives

Hi,

 

Hope you are doing well.

 

 
We do not have specific media type detection for slk (symbolic link format) files.

 

These files are basic text files and as such these will be detected as "text/plain" by the MWG currently.

 

You can for now  try creating rule Body.FileName matches *.slk and set action as Block.

 

Attaching screenshot for reference wherein it works for below link:-

 

http://www.fileformatcommons.com/wp-content/uploads/2015/09/ffc_slk.zip

 

Th blocking happens in Response Embedded cycle.

 

Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

Highlighted
Level 8
Report Inappropriate Content
Message 7 of 7

Re: Blocking the download of SLK files within archives

Hello Alok,
This worked - thank you very much!
Still, lets see if some kind of media detection is possible to be added i the future via my SR.
BR,
Maik
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community