cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 7

executable in an archive (zip) not blocked as expected to be by media type filtering

Jump to solution

Hi there

Due to our security policy our users are not allowed to download executables (application/executable). To enforce that policy downloading archives (application/zip, application/rar and so on) is also forbidden as this archives could include unwanted files.

In the process of upgrading from 7.1.0.2.0 to 7.3.0 we would like to allow the user to download archives except in case of that the archive includes a forbidden mime type such as application/executable. From my understanding the composite opener should extract an archive to allow the following rulesets and rules to go through the content of the archive. So I would expect the composite opener to extract such an archive and as follows the media type filter to identify the executable in the archive and block it.

However....this does not work in my configuration. Meaning, I'm still unable to download executables however, I'm able to download archives including executables. Might anything missing or is this just not working, that is, cannot the mime type filter go through an archive extracted by the composite opener?

This is a preview to the ruleset:

mwg-ruleset-snip.jpg

If there is some a ressource or a thread which would answer that question you are also welcome to point me to that.

Thanks for any hints, Stefan

1 Solution

Accepted Solutions
Highlighted
Level 11
Report Inappropriate Content
Message 6 of 7

Re: executable in an archive (zip) not blocked as expected to be by media type filtering

Jump to solution

I checked your ruleset, and it works for me with small modification - I changed ruleset's enter condition to Always instead of checking on user-defined property.

I now see why this problem exists - the last rule in your rulesets sets user-defined property to true value. This happens when your file is passing through Request cycle. After that, the extraction of data from archive starts, and Rule Engine enters into Embedded cycles. But because this is the same transaction, the value of user-defined property is true, so it won't enter into ruleset that has condition "User-Defined Property == false". So, either you need to explicitly set your used-defined property to false before this ruleset, or delete rule that sets this property to true value.

I added my rule set that I've used for testing on 04/01/13 13:40:16 CET

View solution in original post

6 Replies
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 7

Re: executable in an archive (zip) not blocked as expected to be by media type filtering

Jump to solution

Hello

Does your rule set is enabled in Embedded cycle?  Can you give us URL with archive, so we can check that file type is correctly recognized

P.S. For performance reasons, it's better to first check value of user-defined property, and only after that - check for prohibited file types. This should work faster as your user-defined property is simple boolean

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 7

Re: executable in an archive (zip) not blocked as expected to be by media type filtering

Jump to solution

Yes, embedded cycle is activated:

mwg-ruleset-snip-1.jpg

I will upload the file I am testing on it once I know how to upload it to the thread.

Highlighted
Level 11
Report Inappropriate Content
Message 4 of 7

Re: executable in an archive (zip) not blocked as expected to be by media type filtering

Jump to solution

Maybe it doesn't work because the User-Defined property has true value before entering to your ruleset? I see that your ruleset has condition on this user-defined property - try to change it to always?

I checked the file, file was detected as executable. I'll try soon how the complete ruleset will work

Highlighted
Level 7
Report Inappropriate Content
Message 5 of 7

Re: executable in an archive (zip) not blocked as expected to be by media type filtering

Jump to solution

So this is the file I'm testing. You are welcome to test it if it is properly recognized.

Thank you for that hint to the order of the conditions of a rule, I will change it.

Highlighted
Level 11
Report Inappropriate Content
Message 6 of 7

Re: executable in an archive (zip) not blocked as expected to be by media type filtering

Jump to solution

I checked your ruleset, and it works for me with small modification - I changed ruleset's enter condition to Always instead of checking on user-defined property.

I now see why this problem exists - the last rule in your rulesets sets user-defined property to true value. This happens when your file is passing through Request cycle. After that, the extraction of data from archive starts, and Rule Engine enters into Embedded cycles. But because this is the same transaction, the value of user-defined property is true, so it won't enter into ruleset that has condition "User-Defined Property == false". So, either you need to explicitly set your used-defined property to false before this ruleset, or delete rule that sets this property to true value.

I added my rule set that I've used for testing on 04/01/13 13:40:16 CET

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 7 of 7

Re: executable in an archive (zip) not blocked as expected to be by media type filtering

Jump to solution

Thank you very much for that investigation. Will adapt your suggestions, basic testing worked also on my systems.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community