Re: Content awareness

Andreas_Ahrnby · ‎2020-05-06

Hi,

I have a rule that allow MS Office files to be uploaded to a FTP server and I block execute files.

But if I import an execute file inside an excel file the blade let the file pass.
Cant the blade be this “smart” to see the inserted .exe or i am doing something wrong here?

HristoGrigorov · ‎2020-05-06

Most File Type Recognition libraries rarely iterate over entire file content for performance reasons. In most cases they only look for predefined patterns to "guess"file type.

Notice that you are uploading Excel file with binary content inside it but it is after all Excel file which is allowed by the policy.

PhoneBoy · ‎2020-05-10

What rule comes first, the one that blocks EXE files or the one that allows Excel?
Order matters.

Andreas_Ahrnby · ‎2020-05-10

The exe block rule is first.

PhoneBoy · ‎2020-05-13

Might be worth a TAC case to confirm this is correct behavior.

Andreas_Ahrnby · ‎2020-05-13

Actually I find out that the content sees the embedded file but not as its file name but as a inobject.bin. Don’t remember the exact name now so what I did was to make a own template and block everything with .bin

this behavior seems only to be with MS office files, if I take an .pdf with an embedded .exe file it gets blocked and the blade can see the exact filename inside the .pdf

PhoneBoy · ‎2020-05-13

At least you have a workaround, which is good.

Are you a member of CheckMates?

Content awareness