File Blocking process

Reply
L0 Member

File Blocking process

How does Palo Alto identify files, such as ".exe" when we have a rule set to block the download?  What is the process that Palo Alto uses?

L4 Transporter

Re: File Blocking process

We use signatures to identify the file type. We do not use the extension type.

L0 Member

Re: File Blocking process

What are the signatures based upon? 

L5 Sessionator

Re: File Blocking process

The system is looking at the file header and MIME type which are determined at file creation.   This prevents the obfuscation of the the file by changing the extension to .txt.

L2 Linker

Re: File Blocking process

Can someone please refer me to an official document (a technical one) by Palo Alto clearly explaining how the file types will be detected (signature in oppose to extension checks). Will greatly help when it comes to cutomers and references.

L7 Applicator

Re: File Blocking process

Binary files have signatures in the beginning of the file.

You can verify if you open file with HEX Editor.

 

Startingpoint might be here: https://en.wikipedia.org/wiki/List_of_file_signatures

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Highlighted
L7 Applicator

Re: File Blocking process

I haven't seen a highly technical document that really dives into exactly how the file blocking engine works.  There's some mention of it in the official documentation.  I also found mention of it being based on the content/file type and not just on a file extention in this document:

 - https://www.paloaltonetworks.com/resources/techbriefs/content-id-tech-brief

 

It's easy to validate this functionality for yourself.  Configure a "file blocking" profile with action=alert for all applications and all file types.  Attach that to a security policy that permits a test machine to use FTP.  Take a pdf file and change the extension to .exe (or duplicate that file numerous times and also rename it to .bat, .jpg, .doc, .torrent, etc.).  Use FTP to transfer these files through the firewall.  Finally, look at the data filtering log to see the results.  

 

I took a copy of the PDF file linked above, duplicated it a few times, forged the extension on all but one of the samples, and then transferred it through the firewall using FTP.  The first snip is the directory with the duplicated/renamed files (all same date and file size).  The 2nd snip shows the firewall logging the forged filename while identifying the file type as actually being Adobe PDF.  

 

01-directory.png

02-logs.png

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!