ProxySG & Advanced Secure Gateway

 View Only
Expand all | Collapse all

Blocking Executables via ASG

  • 1.  Blocking Executables via ASG

    Posted Mar 28, 2020 10:04 AM
    HI,

    I am trying to block EXE files and MSI files in ASG. I am able to block EXE files via apparent data type and file extension objects. But for MSI I cannot find similar options in apparent data type and mime types. How can I block MSI files?.

    Thanks and Regards
    Shabeeb


  • 2.  RE: Blocking Executables via ASG

    Broadcom Employee
    Posted Mar 30, 2020 06:03 AM
    Hi Shabeeb

    the proxy does not have an ADT for MSI, you can try creating policy for this using regexes

    https://knowledge.broadcom.com/external/article?articleId=166223

    however I'm not sure that MS guarantee this will work for all MSI files

    if you want to block all MSI files why not just use the AV to do that. Under services AV file types select block for MSI







  • 3.  RE: Blocking Executables via ASG

    Posted Apr 01, 2020 02:46 PM
    I operate a proxySG so I'm not sure if your interface differs, but from our visual policy manager, I've done the same thing about blocking executables. I don't even want our CAS getting the file because I'd rather the proxy block it explicitly. And the CAS can handle files designated for scanning.

    If MSI doesn't exist on that list, create it. Assuming, of course, your interface is like the ProxySG's.




  • 4.  RE: Blocking Executables via ASG

    Broadcom Employee
    Posted Apr 06, 2020 04:53 AM
    Hi Daniel

    this is not a secure method for detecting file types as it only checks the file extension, something that can be easily modified, also the proxy doesn't always have a way of telling the files extension. So will this is valid policy it should not be relied on exclusively but should form part of a layered approach, mime types, file extension and ADT as well as category and threat risk scores



  • 5.  RE: Blocking Executables via ASG

    Posted Apr 07, 2020 11:47 AM
    I completely agree. My suggestion, however, was assuming that their agency/company didn't purchase the CAS to go along with their proxy. I see, on his followup reply, that there is a CAS in the picture. I assumed wrong.


  • 6.  RE: Blocking Executables via ASG

    Posted Apr 07, 2020 05:53 AM
    Dear all,

    I have a problem with block executive file. I have tried block by file types and MIME. But some executive file has been renamed or zip. It cannot block.
    I tried to block on CAS but it still doesn't work.
    Do you have any solutions? 




  • 7.  RE: Blocking Executables via ASG

    Posted Apr 07, 2020 12:11 PM
    Edited by Daniel L Apr 07, 2020 12:19 PM
    Hi Duc.

    How is your CAS configured to handle the compressed files? I've always believed that the CAS scans the file based on the scanned filetype, and not explicitly the file extension, that was the renaming of the extension doesn't obfuscate the scanner. I did a cursory lookup of this on the CAS admin manual, below is a direct paste:






  • 8.  RE: Blocking Executables via ASG

    Posted Apr 08, 2020 03:25 AM
    Dear Daniel,

    I need to block all executive files, scan and not block compresses files. I set block exe in AV Types - CAS, but executive files in compresses cann't block.


  • 9.  RE: Blocking Executables via ASG

    Posted Apr 08, 2020 12:09 PM

    Don't you have compressed files set to scan? WHen it scans the contents of the compressed file, it should see the exe file and block the compressed file due to its contents. That's what the screenshot said.




  • 10.  RE: Blocking Executables via ASG

    Posted Apr 08, 2020 12:52 PM
    Am I missing something?

    Can you send a snippet of your cas log?


  • 11.  RE: Blocking Executables via ASG

    Broadcom Employee
    Posted Apr 10, 2020 04:49 AM
    Hi Duc

    for this to work you need two things

    1. you need to send the files to CAS, the proxy itself can not unzip files to see what is inside them
    2. you need to enable the option "Enable ICAP scanning" in  your apparent data type object in policy



    there is a KB on this, unfortunately some of the images went  missing in the migration from symantec to broadcom, I'm trying to get these fixed

    https://knowledge.broadcom.com/external/article?legacyId=TECH241853