07-18-2013 09:45 AM
Hello All,
I am wondering if there is a way to block a specific file from any internet source. We would like to block users from grabbing a specific unsupported browser. (when you have 85k+ workstations - you need to keep them uniform for supportability 
)
I am looking at the File Blocking option and it doesn't seem to allow for specification of the filename ...
Any ideas?
Thanks
Art
07-18-2013 01:41 PM
Hi,
Could you please check with Data Filtering Profiles. We can create a custom data-filtering profile as mentioned below.
Objects > Security Profiles > Data Filtering
Custom Patterns—To match a custom data pattern for the traffic that is subject to this profile, create a custom data pattern by clicking Add and specifying the pattern name, regular expression (regex) to match, and weight (0-255, 255 is highest weight). You can add multiple match expressions to the same data pattern profile. |
Hope it will help you.
Thanks
Subhankar
07-18-2013 02:43 PM
Hi Subhankar,
Good Idea... I will explore this idea.
One of our Team found this KB article:
https://live.paloaltonetworks.com/docs/DOC-3375
I have been exploring this - it looks really solid... so need to figure out how to test it and go from there.
thanks for the help!
Art
07-18-2013 02:44 PM
Hi,
This is what we thought of first ... but realized (via a Bing search) the file is available from hundreds of sources... so not going to work for us.
Thanks
Art
07-19-2013 01:34 PM
You also might want to look into creating a custom AppID (Application signature), The following doc shows how to create one:
https://live.paloaltonetworks.com/docs/DOC-2015
It is just a matter of finding what is in the GET http uri header and creating a signature based on that. If it is a browser, it should use the same name for the exe or zip file so it should be straight forward. I have created a couple and they work well.
07-19-2013 06:07 PM
Art,
The Knowledge base article is correct. We are creating custom vulnerability signatures to prevent the downloading of specific file names. Such as Bad-Filename.zip or Bad-Filename.exe The signatures are based on http-uri path and file name so the server hosting name or location on the internet is irrelevant. This has been successful for us and we also use it to block the downloading of tool-bars and other unwanted software. There are some precautions (filename or uri path/filename should be unique to avoid false blocking) signature also needs to be minimum of 7 characters.
Phil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
