topic Re: Content awareness in Firewall and Security Management

Content awareness

Andreas_Ahrnby — Wed, 06 May 2020 20:08:18 GMT

Hi,

I have a rule that allow MS Office files to be uploaded to a FTP server and I block execute files.

But if I import an execute file inside an excel file the blade let the file pass.
Cant the blade be this “smart” to see the inserted .exe or i am doing something wrong here?

Re: Content awareness

HristoGrigorov — Thu, 07 May 2020 03:40:50 GMT

Most File Type Recognition libraries rarely iterate over entire file content for performance reasons. In most cases they only look for predefined patterns to "guess"file type.

Notice that you are uploading Excel file with binary content inside it but it is after all Excel file which is allowed by the policy.

Re: Content awareness

PhoneBoy — Mon, 11 May 2020 00:19:05 GMT

What rule comes first, the one that blocks EXE files or the one that allows Excel?
Order matters.

Re: Content awareness

Andreas_Ahrnby — Mon, 11 May 2020 04:24:40 GMT

The exe block rule is first.

Re: Content awareness

PhoneBoy — Wed, 13 May 2020 16:24:07 GMT

Might be worth a TAC case to confirm this is correct behavior.

Re: Content awareness

Andreas_Ahrnby — Wed, 13 May 2020 18:14:03 GMT

Actually I find out that the content sees the embedded file but not as its file name but as a inobject.bin. Don’t remember the exact name now so what I did was to make a own template and block everything with .bin

this behavior seems only to be with MS office files, if I take an .pdf with an embedded .exe file it gets blocked and the blade can see the exact filename inside the .pdf

Re: Content awareness

PhoneBoy — Wed, 13 May 2020 22:11:33 GMT

At least you have a workaround, which is good.