You can try adding an exception for .txt file by using property "MediaType.FromFileExtension" >> contains >> .txt.
You can eitther create this exception a very top rule in the rule set with the action "Stop rule set" or in Rule set criteria itself with an "And" function.
Yes i considert that, but that would not stop renamed .com file to .txt files.
but fear that it is the only solution.
For that we can add one more proeporty : MediaType. MagicBytesMismatch in conjunction to MediaType.FromFileExtension ("And" function inthe same rule criteria).
MediaType. MagicBytesMismatch is a boolean type and below is the description:
If true, the media type specified in the header sent with the media does not match the type that was found on the appliance by examining the magic bytes actually contained in the media
This will ensure that if someone renames the file to .txt the magic bytes mistmatch in the same rule criteria will not allow to pass through.
This is just for clarification...
In general, reliable detection of .com files isn't possible without performance degradation. This happens because .com file is just set of bytes, that is loaded into memory at specific addresses. And sometime, they could look like normal text file. For normal text files we're performing some kind of character frequency analysis, to distinguish them from binary files.
From my experience I can say, that rules above could produce a lot of false positives, for example, match binary content in MS Office files, or something like.
P.S. Do we have any modern malware in the .com format? I thought, that they all finished to exist
I've talked about theoretical possibility, not existing implementation...
What is the real need for blocking .com files? most of .com files that I found in Windows, are standard MZ-format executables.
You can try to write rule like, if MediaType.EnsuredTypes not equal to MediaType.FromExtension, then block - it will block all files, whose media types aren't matched to given file extension. Or you can use MediaType.MagicBytesMismatch to check detected mime type against mime type sent by server
Can you please paste your rules on this forum?
Also remember that "MediaType.MagicBytesMismatch" rule or "MediaType.EnsuredTypes not equal to MediaType.FromExtension" rule should be before whitelist rule "MediaType.FromFileExtension" >> contains >> .txt."