Anyone Blocked a specific file from being downloaded?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Anyone Blocked a specific file from being downloaded?

Hello All,

   I am wondering if there is a way to block a specific file from any internet source.  We would like to block users from grabbing a specific unsupported browser. (when you have 85k+ workstations - you need to keep them uniform for supportability :smileywink:)

   I am looking at the File Blocking option and it doesn't seem to allow for specification of the filename ...

  Any ideas?

Thanks

Art

Highlighted
L6 Presenter

Hi Art... There is no way to block file based on Name ... It can be blocked by type.

Highlighted
L7 Applicator

Hi,

Could you please check with Data Filtering Profiles. We can create a custom data-filtering profile as mentioned below.

Objects > Security Profiles > Data Filtering

Custom Patterns—To match a custom data pattern for the traffic that is subject to this profile, create a custom data pattern by clicking Add and specifying the pattern name, regular expression (regex) to match, and weight (0-255, 255 is highest weight). You can add multiple match expressions to the same data pattern profile.

Hope it will help you.

Thanks

Subhankar

Highlighted
L5 Sessionator

Hi Art,

If you have a particular URL's where it can be downloaded from then you can block them based on custom URL.

Hope this helps

Thanks

Highlighted
L3 Networker

Hi Subhankar,

   Good Idea... I will explore this idea.

   One of our Team found this KB article:

https://live.paloaltonetworks.com/docs/DOC-3375

I have been exploring this - it looks really solid... so need to figure out how to test it and go from there.

thanks for the help!

Art

Highlighted
L3 Networker

Hi,
   This is what we thought of first ... but realized (via a Bing search) the file is available from hundreds of sources... so not going to work for us.

Thanks

Art

Highlighted
L4 Transporter

You also might want to look into creating a custom AppID (Application signature), The following doc shows how to create one:

https://live.paloaltonetworks.com/docs/DOC-2015

It is just a matter of finding what is in the GET http uri header and creating a signature based on that. If it is a browser, it should use the same name for the exe or zip file so it should be straight forward. I have created a couple and they work well.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
Highlighted
L4 Transporter

Art,

The Knowledge base article is correct.  We are creating custom vulnerability signatures to prevent the downloading of specific file names. Such as Bad-Filename.zip or Bad-Filename.exe  The signatures are based on http-uri path and file name so the server hosting name or location on the internet is irrelevant.  This has been successful for us and we also use it to block the downloading of tool-bars and other unwanted software.  There are some precautions (filename or uri path/filename  should be unique to avoid false blocking) signature also needs to be minimum of 7 characters.

Phil

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!