File Blocking process

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
tedjscott
L0 Member

File Blocking process

How does Palo Alto identify files, such as ".exe" when we have a rule set to block the download?  What is the process that Palo Alto uses?


Accepted Solutions
skrall
L4 Transporter

We use signatures to identify the file type. We do not use the extension type.

View solution in original post


All Replies
skrall
L4 Transporter

We use signatures to identify the file type. We do not use the extension type.

View solution in original post

tedjscott
L0 Member

What are the signatures based upon? 

nrice
L5 Sessionator

The system is looking at the file header and MIME type which are determined at file creation.   This prevents the obfuscation of the the file by changing the extension to .txt.

Mass
L2 Linker

Can someone please refer me to an official document (a technical one) by Palo Alto clearly explaining how the file types will be detected (signature in oppose to extension checks). Will greatly help when it comes to cutomers and references.

Raido
L7 Applicator

Binary files have signatures in the beginning of the file.

You can verify if you open file with HEX Editor.

 

Startingpoint might be here: https://en.wikipedia.org/wiki/List_of_file_signatures

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
jvalentine
L7 Applicator

I haven't seen a highly technical document that really dives into exactly how the file blocking engine works.  There's some mention of it in the official documentation.  I also found mention of it being based on the content/file type and not just on a file extention in this document:

 - https://www.paloaltonetworks.com/resources/techbriefs/content-id-tech-brief

 

It's easy to validate this functionality for yourself.  Configure a "file blocking" profile with action=alert for all applications and all file types.  Attach that to a security policy that permits a test machine to use FTP.  Take a pdf file and change the extension to .exe (or duplicate that file numerous times and also rename it to .bat, .jpg, .doc, .torrent, etc.).  Use FTP to transfer these files through the firewall.  Finally, look at the data filtering log to see the results.  

 

I took a copy of the PDF file linked above, duplicated it a few times, forged the extension on all but one of the samples, and then transferred it through the firewall using FTP.  The first snip is the directory with the duplicated/renamed files (all same date and file size).  The 2nd snip shows the firewall logging the forged filename while identifying the file type as actually being Adobe PDF.  

 

01-directory.png

02-logs.png

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!