https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39261#M28804 <HTML><HEAD></HEAD><BODY><P>1) You posted in wrong subforum - hopefully someone from PA could move your thread so more people will notice it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>2) You can request app enhancement from the Apps and Threats Research Center.</P><P></P><P><A class="jive-link-external-small" href="http://www.paloaltonetworks.com/researchcenter/tools/">http://www.paloaltonetworks.com/researchcenter/tools/</A></P><P></P><P>From there you can click on Submit an app and provide details there.</P><P></P><P>3) As workaround I think you can do an "application override" if you have something to trigger at. Like:</P><P>dsturl: update.google.com</P><P>appid: web-browsing</P><P>file: .exe</P><P>new appid: google-update</P></BODY></HTML> Mon, 02 Jul 2012 18:11:46 GMT mikand 2012-07-02T18:11:46Z https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39260#M28803 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>in one customer setup we face the following problem: We disabled EXE file downloading. In order do allow services to update we use an application filter with subcategory update and allow that traffic. Works like a charm for google-update, ms-update etc. However today I noticed tons of blocks from xxxxxx_Chrome_updater.exe (xxxxx being date, version etc.). The application is "web-browsing". So the update process is not discovered as being an update application. Is this an error or missing feature in the app-id? How can I whitelist this or make a custom application out of this? We see this more often with special EXEs we need to whitelist. Any idea of how to achieve this?</P><P></P><P></P><P>Kind regards,</P><P>&nbsp; JP</P></BODY></HTML> Mon, 02 Jul 2012 16:08:24 GMT https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39260#M28803 j.koopmann 2012-07-02T16:08:24Z https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39261#M28804 <HTML><HEAD></HEAD><BODY><P>1) You posted in wrong subforum - hopefully someone from PA could move your thread so more people will notice it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>2) You can request app enhancement from the Apps and Threats Research Center.</P><P></P><P><A class="jive-link-external-small" href="http://www.paloaltonetworks.com/researchcenter/tools/">http://www.paloaltonetworks.com/researchcenter/tools/</A></P><P></P><P>From there you can click on Submit an app and provide details there.</P><P></P><P>3) As workaround I think you can do an "application override" if you have something to trigger at. Like:</P><P>dsturl: update.google.com</P><P>appid: web-browsing</P><P>file: .exe</P><P>new appid: google-update</P></BODY></HTML> Mon, 02 Jul 2012 18:11:46 GMT https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39261#M28804 mikand 2012-07-02T18:11:46Z https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39262#M28805 <HTML><HEAD></HEAD><BODY><P>Hi.</P><P></P><P>ad 1) sorry. which one would have been more suitable? Still have to find my way around Jive I suppose...</P><P></P><P>ad 2) Done.</P><P></P><P>ad 3) This is more or less exactly what I want. But I fail to see where/how to do this.</P><P></P><P>dsturl: update.google.com does not exist. I am trying to figure out which one is the correct URL. I started a pcap and hope that the next request will show the necessary information.</P><P></P><P>But how do you configure this sort of application override? The ones I know are based on source/destination IP/port not application/file etc. I could create a new application which is based on signatures but how? Where to put the url (request uri?) and how to match on the filename (I would need a regex for that if regex is supported).</P><P></P><P>Kind regards,</P><P>&nbsp; JP</P></BODY></HTML> Mon, 02 Jul 2012 19:50:23 GMT https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39262#M28805 j.koopmann 2012-07-02T19:50:23Z https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39263#M28806 <HTML><HEAD></HEAD><BODY><P>1) Click on Home in the upper left then on KnowledgePoint and finally Discussion <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>3) Oops sorry... application override doesnt act on url. However you can go for dstip (which I guess wont work in this case since its Google we speak about and too many ip's).</P><P></P><P>Custom application would then be the way to go...</P><P></P><P>I think something like this might help you:</P><P></P><P>parent-app: web-browsing</P><P>defaults port: tcp/443 (assuming its using https only)</P><P>ip protocol: 6 (tcp)</P><P>scanning: file-types, data-patterns, viruses</P><P></P><P>and then the actual signature... check page 171 in the admin guide for examples.</P><P></P><P>Since this is mainly to allow traffic I think you should be as narrow as you possible can.</P><P></P><P>Dont forget to have ssl-termination running in order to inspect the https contents.</P></BODY></HTML> Mon, 02 Jul 2012 20:24:28 GMT https://live.paloaltonetworks.com/t5/general-topics/chrome-updater-not-working-if-exe-is-blocked-application-not/m-p/39263#M28806 mikand 2012-07-02T20:24:28Z