We currently use our PAN in quite a dumb way where most internet access for end users is controlled by a single rule at the top of our rule set which simply allows https/https as outbound services, we don't block/allow specific applications but we do block by URL category and we do monitor using app-id.
Could I please get a little feedback on how to effectively block users from downloading software from the internet (typical .exe and .msi installer files) whilst not disturbing all the "background" downloads that things such as a manual trip to Windows Update would result in please?
We've found that we can get so far by having an override page on shareware/freeware by URL category but a lot of sites, often the vendors own site, slip through the net so we're not sure we have too many options other than to block on .exe/msi - and even then we only seem to be able to block or continue rather than override with a password.
Thanks in advance.
What we did was deny excutable downloads from any website that falls into the "unknown" catagory of Brightcloud. The only exception is that if you are an authenticated IT person - you are allowed to download (as many vendor sites are not always classified - or download servers can't be classifed). This has reduced our infection rate of workstations by approx 75% (at least our infection alerts). It has been a huge success for us - with very few false positives. Once in a while we have to add a user to the allow rule as a business site is considered "unknown". Typically it is temporary access. What we found is that most of the big download sites (such as Microsoft and Adobe) are classified and still work. I built a report that tells me the daily blocks. This allows me to see when a download site is no longer classified or if someone is tyring to download a file and I can follow up with them if it's business related. Does this describe what you are interested in setting up?
We have security rule where users IP segment is File Blocking profile dll,exes msi, whatever you need is in block action. There are few apps that now and then have to download some updated dll files. For that there is rule that sits before global user IP segment rule, that allows dll from specific IPs. If dll is downloaded from other site, it is blocked (for you instead of IP, you could have app, url category etc).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!