Blocking jar and class files. What about *.pack.gz?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Blocking jar and class files. What about *.pack.gz?

L3 Networker

To mitigate the threat of the non stop java exploits Ive started to block jar file and class files. Now in the data filter logs i spot *.jar.pack.gz files. Im wondering about a few things

  1. Is blocking jar and class files a good mitigation against browser based desktop java exploits (drive by's)? As far as I can tell from my research the answer is yes.
  2. Does blocking a jar file ALSO block the jar.pack.gz container?
  3. Anyone else out there doing this? Seems like a no brainer if your company does not need to constantly download jar and class files for business reasons.
  4. PS: I know I should keep java up to date but that is going to take so much time and effort. Unlinking it from the browser would work better and Im going to try doing that via a GPO.

Cheers!

3 REPLIES 3

L6 Presenter

1) Yes given that the firewall (or whatever you have inline between internet and the client) can detect jar and class files and block such transmissions.

The above should also be used along with:

1.1) Uninstall Java JRE/JDK completely from the client.

1.2) If 1.1 is not possible then at least remove the connection to the browser.

1.3) If 1.2 is not possible or as a secondary mitigation - use a different browser for internet compared to internal resources. For example using internet explorer for internal resources (and in the java settings only enable java for IE, not the other browser), and Google Chrome (let it autoupdate itself) for internet use. Dont forget to disable the builtin java plugin through chrome://plugins

2) Im not sure. I think I saw a similar thread previously in this community forum where an admin had to glock gzip/zip filetype aswell to completely block downloads of jar/class-files (because PA currently doesnt support filetype within filetype - only the outer filetype will be handled I think).

Another example is if a jar/class file is smuggled within an office-document or such.

3) Yes but the other way around is often easier - specify which filetypes should be allowed (but keep in mind that allowing gzip/zip will most likely allow compressed jar/class-files aswell).

4) See 1.1 - 1.3 above 😉

Thanks, Yeah I guess its a grey area with the gz/gzip/zip and jar. Ill keep any eye on it.

( filename contains class ) or ( filename contains jar )

Also, Ill contune with the strategy of unlinking it from out browsers (IE9) as a second line of defence.

FYI: Java 7 update 11 has an option in the security tab to enable/disable Java content in the browser.

Not applicable

Well, downloading the jar file (http://repo1.maven.org/maven2/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar) PAN blocks it as torrent file (the only file type block for this security policy). We need update ASAP!.

  • 3097 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!