topic Re: File Blocking process in General Topics

File Blocking process

tedjscott — Tue, 27 Sep 2011 20:37:22 GMT

How does Palo Alto identify files, such as ".exe" when we have a rule set to block the download? What is the process that Palo Alto uses?

Re: File Blocking process

skrall — Fri, 30 Sep 2011 23:17:02 GMT

We use signatures to identify the file type. We do not use the extension type.

Re: File Blocking process

tedjscott — Mon, 03 Oct 2011 17:25:20 GMT

What are the signatures based upon?

Re: File Blocking process

nrice — Mon, 03 Oct 2011 18:56:23 GMT

The system is looking at the file header and MIME type which are determined at file creation. This prevents the obfuscation of the the file by changing the extension to .txt.

Re: File Blocking process

Mass — Tue, 12 Sep 2017 11:45:09 GMT

Can someone please refer me to an official document (a technical one) by Palo Alto clearly explaining how the file types will be detected (signature in oppose to extension checks). Will greatly help when it comes to cutomers and references.

Re: File Blocking process

Raido_Rattameister — Tue, 05 Sep 2017 21:00:13 GMT

Binary files have signatures in the beginning of the file.

You can verify if you open file with HEX Editor.

Startingpoint might be here: https://en.wikipedia.org/wiki/List_of_file_signatures

Re: File Blocking process

jvalentine — Tue, 12 Sep 2017 20:56:49 GMT

I haven't seen a highly technical document that really dives into exactly how the file blocking engine works. There's some mention of it in the official documentation. I also found mention of it being based on the content/file type and not just on a file extention in this document:

- https://www.paloaltonetworks.com/resources/techbriefs/content-id-tech-brief

It's easy to validate this functionality for yourself. Configure a "file blocking" profile with action=alert for all applications and all file types. Attach that to a security policy that permits a test machine to use FTP. Take a pdf file and change the extension to .exe (or duplicate that file numerous times and also rename it to .bat, .jpg, .doc, .torrent, etc.). Use FTP to transfer these files through the firewall. Finally, look at the data filtering log to see the results.

I took a copy of the PDF file linked above, duplicated it a few times, forged the extension on all but one of the samples, and then transferred it through the firewall using FTP. The first snip is the directory with the duplicated/renamed files (all same date and file size). The 2nd snip shows the firewall logging the forged filename while identifying the file type as actually being Adobe PDF.