File Blocking process

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

File Blocking process

L0 Member

How does Palo Alto identify files, such as ".exe" when we have a rule set to block the download?  What is the process that Palo Alto uses?

1 accepted solution

Accepted Solutions

L4 Transporter

We use signatures to identify the file type. We do not use the extension type.

View solution in original post

6 REPLIES 6

L4 Transporter

We use signatures to identify the file type. We do not use the extension type.

What are the signatures based upon? 

The system is looking at the file header and MIME type which are determined at file creation.   This prevents the obfuscation of the the file by changing the extension to .txt.

Can someone please refer me to an official document (a technical one) by Palo Alto clearly explaining how the file types will be detected (signature in oppose to extension checks). Will greatly help when it comes to cutomers and references.

Binary files have signatures in the beginning of the file.

You can verify if you open file with HEX Editor.

 

Startingpoint might be here: https://en.wikipedia.org/wiki/List_of_file_signatures

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I haven't seen a highly technical document that really dives into exactly how the file blocking engine works.  There's some mention of it in the official documentation.  I also found mention of it being based on the content/file type and not just on a file extention in this document:

 - https://www.paloaltonetworks.com/resources/techbriefs/content-id-tech-brief

 

It's easy to validate this functionality for yourself.  Configure a "file blocking" profile with action=alert for all applications and all file types.  Attach that to a security policy that permits a test machine to use FTP.  Take a pdf file and change the extension to .exe (or duplicate that file numerous times and also rename it to .bat, .jpg, .doc, .torrent, etc.).  Use FTP to transfer these files through the firewall.  Finally, look at the data filtering log to see the results.  

 

I took a copy of the PDF file linked above, duplicated it a few times, forged the extension on all but one of the samples, and then transferred it through the firewall using FTP.  The first snip is the directory with the duplicated/renamed files (all same date and file size).  The 2nd snip shows the firewall logging the forged filename while identifying the file type as actually being Adobe PDF.  

 

01-directory.png

02-logs.png

 

 

  • 1 accepted solution
  • 7147 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!