[Thanks to Tarun Mann, a Sales Engineer here at 8e6, for providing the background information for this post.]

The other day I was talking to an 8e6 reseller and he brought up a question that I’ve heard a few times before. He has a customer who wants to prevent users from downloading executable files directly off the Internet. Obviously, the web filter / secure web gateway is the place to enforce this policy.

Although we don’t have a specific feature in the 8e6 web filter (the R3000) directed at this request, our crafty Sales Engineering team has devised a solution. They’ve deployed this solution in many of our customer’s networks - it’s simple and it works.

Step 1: In the Library section of the R3000 management console, create a custom category — the SEs typically call it “File Extensions”. Right-click on the custom category and select URL Keywords. Add the file extension of each file type that you want to block as a keyword, making sure to preface each extension with a period. So for exe files you would add “.exe”.

For all Windows executable files, there are more extensions than you think. This is a decent list, and so is this. At the minimum you’re going to want to include:

.exe, .dll, .ocx, .scr, .bat, .pif, .cpl, .cmd, .hta, .lnk, .inf, .sys, .vbs, .vb, .wsc, .wsh, .wsf

You might also add “.wmv”, which is a Windows Media Video file and is being used to push out malware in the form of fake codecs. Many of the malicious search engine spam sites outed by Sunbelt this week were using this method of attack. The site entices you to watch a video that is specially crafted to induce Windows Media Player to claim that it requires a special codec to view. The codec is then the malware.

Also note that “.com” must be omitted — URL keywords work across the entire URL, including the root domain, so this is obviously not something you can include. Conversely, “.vb” is ok because it’s not a registered country code top-level domain (the IANA keeps the master list).

After you’ve added all the file extensions, reload the Library by clicking the Reload button.

Step 2: Now go to the Group section of the R3000 management console. In order to actually block URLs containing those file extensions, we have to change group policies to observe our newly added category and its keywords.

Select the desired group or the Global Group. Right click and select Group Profile. If you selected the Global Group, the option will be Global Group Profile. If you selected a sub-group, the option will be Sub Group Profile.

Select the Filter Options tab. Check URL Keyword Filter Control (read below for more on this if you’re worried about overblocking).

Go back to the Category tab. Find your newly added category and double click on the red Block column. Click Apply to save your changed policy.

Notes on URL Keywords: 8e6 does not publish any built-in URL keywords. So if you haven’t added and keywords to your R3000, then the list is definitely empty, and enabling this feature will have no effect on your users.

The Extended URL Keyword Filter Control option tells the R3000 to go ahead and apply URL keywords out into the URL’s query string, which is the part after the question mark. If you’re only using URL keywords to block file extensions, then we advise that you keep this off. If you have it enabled, then this will be blocked:

http://www.google.com/search?hl=en&q=.exe

which might not be what you want. But then again, maybe it is, because what if the query looks like this:

http://www.google.com/search?hl=en&q=trojan.exe

While the file extension of the URL in the HTTP request remains an incredibly reliable way of predicting the type of return content, it’s obviously not perfect. The ideal way is to look directly at the content in the HTTP response. The browser operates on the Content-Type header in the HTTP response to decide what to do with a downloaded file. Since the R3000 is primarily deployed in a pass-by architecture, we are not in a position to take action on the HTTP response in time to block it.

However, we have a number of initiatives on the product and research roadmaps in 2008 to start looking at that content, so stay tuned.

———-

We’re now hooked up to Technorati: 8e6 Labs Technorari profile

Tags: executables, file extensions, malware, URL keywords

This entry was posted on Thursday, November 29th, 2007 at 5:41 pm and is filed under How To. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.