File blocking not working with Hotmail

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

File blocking not working with Hotmail

L1 Bithead

I've tried to use the file blocking option to ban attachments on Hotmail. But it's not working on me.

1. Created file blocking profile for hotmail application, certain file types and chose both directions -> block.

2. Created security rule with my IP as a source and hotmail, ssl, web-browsing in applications (added these after the warning on commit), any service, action allow and the file blocking profile selected in Individual profiles...

3. The rule is on top, and if I chose block I can't browse the web, so this is the rule that "catches" my traffic.

Tried and the attachments are working fine...

Am I missing something? Any suggestions?

Best regards,

Konstantin

3 REPLIES 3

L4 Transporter

Most of the hotmail file downloads happen via SSL. You can check the application in the traffic log. If you want to inspect the hotmail part you need to enable ssl inspection.

Also if hotmail is using a java enabled up and download this can keep the scanning from working.

Marcel

Marcel,

I actually did an Wireshark capture of the file transfer and it's over http (port 80).

I can even see the following data when I do decode on the stream (to host du101w.dub101.mail.live.com - 94.245.116.7):

Referer:http://msc.wlxrs.com/poBCDexPyDTmZU!g1!Ku5AkCPPjLAp!IHrxFrh9VuKRu7mzDkQY3SbPGkjTKUo4L/Microsoft.Live.Silverlight.HotmailUploader.xap

Content-Length: 960997

Content-Type: application/x-www-form-urlencoded

filename: HwQgBBUEFAQbBB4EEwQgACIEFQQlBB0EGAQnBBoEHgQgACAEFQQoBBUEHQQYBBUEIAAXBBAEIAARBBUEIgQeBB0ELgBwAGQAZgA=

silverlightupload: true

%PDF-1.5

%....

1 0 obj

<</Type/Catalog/Pages 2 0 R/Lang(mk-MK) >>

endobj

2 0 obj

<</Type/Pages/Count 9/Kids[ 3 0 R 19 0 R 31 0 R 38 0 R 41 0 R 44 0 R 50 0 R 53 0 R 55 0 R] >>

endobj

3 0 obj

<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 10 0 R/F3 12 0 R/F4 14 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S>>

endobj

4 0 obj

<</Filter/FlateDecode/Length 4242>>

stream

x..\[k,.

~?p.....w...`.f<;!!..9oK.r9..l.!....ERI..q.a9k...J%..O....._~y.O6L&<}.../.......O

and at the end I can see:

$p.OV....^.....V.|..x..v...."[;.;:.n...._2.....8E...y.m...y.Ywe...@C.....].9....^..(*...s...j.b.Q.}FpD............nb..
,..cq<G/...Zd.pU..}...Zf...<..+.........k\^..yMIP9./IR..}.[2........,"#r-........S7E."..<.<g..m..&5}:@.p.....I....uG[...9.Z.....I*.
.."..Mpx...g."....1..
endstream
endobj
81 0 obj
<</Type/XRef/Size 81/W[ 1 4 2] /Root 1 0 R/Info 58 0 R/ID[<8B702CF0E319FF4598A4B5ECC7CE03F2><8B702CF0E319FF4598A4B5ECC7CE03F2>] /Filter/FlateDecode/Length 289>>
stream
x.%..+.q....w..kH.....b......Zsr.2.7.......HJ.8hJ.Ejq.FrqP.EI)r.#.r.....>......~+U-.5....&)..Q.;
.G....9...p.-e.-@...(.@[Fx..[pL....%.I......B.........u..(....|;c./.~i...L..1s...p........{......+.|.\'...).j..?.1.....#.........Zc.|......./.@Ac.1...5.&....
...k.R.0..J...Z.D
..P.c..!aB...[D.
endstream
endobj
xref


So does this give you any valuable information?

Best regards!

Looks like it is using silverlight to do the filetransfer.

I would suggest to create a case and see if we can inspect the silverlight file transfers.

We might be able to detect the silverlight upload and create something for this.

Marcel

  • 3838 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!