topic Thinking about blocking executable file downloads - Gotchas? in General Topics

Thinking about blocking executable file downloads - Gotchas?

scottsander — Wed, 06 Jul 2016 13:06:44 GMT

In our environment, we have eliminated the scourge of people being local administrators on computers, with the exception of administrative accounts assigned to some of the IT personnel. I'm thinking about blocking the DLL, DMG, EXE, MSI, and PE file types for everyone but IT personnel.

Are there any caveats or big gotchas related to doing so? I'm thinking that things like GoToMeeting/WebEx/Skype For Business conferences might be a problem. Are there any good ways to work around that?

Re: Thinking about blocking executable file downloads - Gotchas?

Roby_Sreejith — Wed, 06 Jul 2016 14:20:16 GMT

You need to create 2 security policies.

Create a new custom url category.

Then whitelist the urls page where you download trusted urls like gotomeeting etc.

Then create a file blocking to allow exe download
Create security policy above your web-browsing policy and associate above 2 profiles

If you want you can restrict for users also

Create new file blocking profile to block all exe, you can associate with this your web browsing rule or any rule which you want to block exe.

Re: Thinking about blocking executable file downloads - Gotchas?

bmorris1 — Wed, 06 Jul 2016 14:24:02 GMT

I would think about what applications in your environment do automatic updates. Google chrome for example is one app that is always downloading updates in the from of GoogleUpdate.exe. Another thing to consider would be Windows updates as they consist of DLL files I believe.

A good way to work around it would be to create a custom URL category that consists of URLs that you are ok with PE files being downloaded from. Then create a new security rule such as 'whitelist .exe' and add this category to it and a new file blocking profile to alert on all files (that way you can confirm only the files you want are getting through via this rule).

I hope this helps you out!

Ben

Re: Thinking about blocking executable file downloads - Gotchas?

DPoppleton — Wed, 21 Dec 2016 19:31:16 GMT

How do you handle things when the files don't come from a specific URL, but instead download from Akamai or the like? These can come from many different IP addresses. We are blocking all PE files, but there are some that need to come through and we wind up allowing a specific user to download anything from the internet, which isn't a good solution.

Re: Thinking about blocking executable file downloads - Gotchas?

BPry — Wed, 21 Dec 2016 22:10:45 GMT

The biggest gotchas is going to always be applications that update in the background. You probably don't want to be in a sitaution where you have to spend time upgrading stupid things like Chrome or FireFox. That being said if you manage those already through something like SCCM then it really doesn't matter that much really.