Hi everyone, I hope everyone in the community is doing well...
I recently came across a request from a customer in which it was necessary to allow the use of Whatsapp, but block any attempt to send files, only the messages were released, I even saw that Broadcom created a documentation about it in 2019, but the documentation did not works as it should, so I created a more updated version of the domains and wanted to pass it on to you in case anyone is interested in replicating.
Initially, it is impossible to intercept whatsapp conversations and functions via proxy, it uses end-to-end encryption which the proxy cannot intercept, but it is possible, from the domains and requests that Whatsapp web makes, to block or allow a request pattern, in the Broadcom documentation it is instructed to create a CPL that blocks the domain "mmg.whatsapp.net", but when searching a little, this domain is no longer used in sending files, now, when sending a Post or Get of files, is used the common domain of Whatsapp but with a "subfolder" mmg.
So in order to update this KB a bit I created a rule that is very similar to the KB, but with updated domains.
To block file upload via whatsapp you need:
1- Remove the SSL interception of the whatsapp application and domain;
2- Create a policy in a web access layer;
3- Set the destination for the domains listed below(Recomended to create a List):
mmg.whatsapp.net
mmg-fna.whatsapp.net
dyn.web.whatsapp.com
mms.whatsapp.net
pps.whatsapp.net
whatsapp.net/mms
4- Set the action for Deny.
It is important to remember that with this rule, messages will work normally, but the download and upload of files will not, therefore, the images of the users/groups are not displayed.
Thanks,
Newton Gomes.
------------------------------
Newton Gomes
Sr. Cybersecurity Consultant
https://www.linkedin.com/in/grcnewton/------------------------------