06-08-2011 03:35 AM
I've tried to use the file blocking option to ban attachments on Hotmail. But it's not working on me.
1. Created file blocking profile for hotmail application, certain file types and chose both directions -> block.
2. Created security rule with my IP as a source and hotmail, ssl, web-browsing in applications (added these after the warning on commit), any service, action allow and the file blocking profile selected in Individual profiles...
3. The rule is on top, and if I chose block I can't browse the web, so this is the rule that "catches" my traffic.
Tried and the attachments are working fine...
Am I missing something? Any suggestions?
Best regards,
Konstantin
06-08-2011 04:57 AM
Most of the hotmail file downloads happen via SSL. You can check the application in the traffic log. If you want to inspect the hotmail part you need to enable ssl inspection.
Also if hotmail is using a java enabled up and download this can keep the scanning from working.
Marcel
06-08-2011 05:14 AM
Marcel,
I actually did an Wireshark capture of the file transfer and it's over http (port 80).
I can even see the following data when I do decode on the stream (to host du101w.dub101.mail.live.com - 94.245.116.7):
Referer:http://msc.wlxrs.com/poBCDexPyDTmZU!g1!Ku5AkCPPjLAp!IHrxFrh9VuKRu7mzDkQY3SbPGkjTKUo4L/Microsoft.Live.Silverlight.HotmailUploader.xap
Content-Length: 960997
Content-Type: application/x-www-form-urlencoded
filename: HwQgBBUEFAQbBB4EEwQgACIEFQQlBB0EGAQnBBoEHgQgACAEFQQoBBUEHQQYBBUEIAAXBBAEIAARBBUEIgQeBB0ELgBwAGQAZgA=
silverlightupload: true
%PDF-1.5
%....
1 0 obj
<</Type/Catalog/Pages 2 0 R/Lang(mk-MK) >>
endobj
2 0 obj
<</Type/Pages/Count 9/Kids[ 3 0 R 19 0 R 31 0 R 38 0 R 41 0 R 44 0 R 50 0 R 53 0 R 55 0 R] >>
endobj
3 0 obj
<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 10 0 R/F3 12 0 R/F4 14 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S>>
endobj
4 0 obj
<</Filter/FlateDecode/Length 4242>>
stream
x..\[k,.
~?p.....w...`.f<;!!..9oK.r9..l.!....ERI..q.a9k...J%..O....._~y.O6L&<}.../.......O
and at the end I can see:
$p.OV....^.....V.|..x..v...."[;.;:.n...._2.....8E...y.m...y.Ywe...@C.....].9....^..(*...s...j.b.Q.}FpD............nb..
,..cq<G/...Zd.pU..}...Zf...<..+.........k\^..yMIP9./IR..}.[2........,"#r-........S7E."..<.<g..m..&5}:@.p.....I....uG[...9.Z.....I*.
.."..Mpx...g."....1..
endstream
endobj
81 0 obj
<</Type/XRef/Size 81/W[ 1 4 2] /Root 1 0 R/Info 58 0 R/ID[<8B702CF0E319FF4598A4B5ECC7CE03F2><8B702CF0E319FF4598A4B5ECC7CE03F2>] /Filter/FlateDecode/Length 289>>
stream
x.%..+.q....w..kH.....b......Zsr.2.7.......HJ.8hJ.Ejq.FrqP.EI)r.#.r.....>......~+U-.5....&)..Q.;
.G....9...p.-e.-@...(.@[Fx..[pL....%.I......B.........u..(....|;c./.~i...L..1s...p........{......+.|.\'...).j..?.1.....#.........Zc.|......./.@Ac.1...5.&....
...k.R.0..J...Z.D
..P.c..!aB...[D.
endstream
endobj
xref
So does this give you any valuable information?
Best regards!
06-08-2011 09:07 AM
Looks like it is using silverlight to do the filetransfer.
I would suggest to create a case and see if we can inspect the silverlight file transfers.
We might be able to detect the silverlight upload and create something for this.
Marcel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
