File blocking

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

File blocking

L4 Transporter

Dears,

I am not able to block msi file via file blocking profile.

I have created a file blocking profile to block msi and different types of file extensions to block by the policy.

Then I tried to open exe file in the chrome browser which is working fine means block as expected. However, when i try to block msi file. It is blocked at the first time then i resume the blocking, and it Is again downloaded completely.

1 Example- Tried to block putty msi not able to download in first time check the screenshot 1.but when I click on a resume it will download completely check the screenshot second: -

Jafar_Hussain_0-1606461774177.png

          Screenshot-1

 

 

Jafar_Hussain_2-1606462014421.png

             Screenshot-2

 

Example 2- When I tried to block Webex msi and it is redirected to URL then it is blocked.

 

Jafar_Hussain_1-1606461839870.png

 

Can anyone help me with this?

 

8 REPLIES 8

Cyber Elite
Cyber Elite

@Jafar_Hussain,

Do you see the file in the logs when you go back and look at them or is the firewall not seeing the file? 

@BPry 

Yes, i can see the msi files in the data filtering log. the action is deny but still file is downloading.

@BPry 

@aleksandar.astardzhiev 

When i applied the decryption and create a custom file blocking profile to block any file then it is working perfectly. i am able to block the traffic.

Jafar_Hussain_0-1606651746847.jpeg

 

However, once I apply for the specific MSI extension in blocking. i was facing the previous issue. i am not able to find out the reason why its happening because as per compliance policy i need to only block MSI and exe not all files.

Hey @Jafar_Hussain ,

You didn't answer my question - Are you using "allow http partial response" ?

 

What I am thinking is - when you start downloading a file, firewall will buffer the data in the transfered packets and will build a copy of the transfered file. It will use the information in the file to identify what type it is. I believe it is using the "magic bytes" which are at the beging of the file. So on your first attempt to donwload the file firewall will see allow the first few bytes to be transfered, during that it will detect that the file is msi and will block the connection and effectively block the rest of the file to be downloaded.

Now with http partial response, your browser is able to tell the server that it already has the first N bytes, so intsead of starting from the beginning, it will requests from the server to send the rest. Because of that the firewall will not see the magic bytes and it will not be able to identify the actual file type, which will not match your file blocking profile and therefor allow for the user to resume the download (effectively starting new session downloading the rest of the file).

 

Disabling this option will tell the firewall to reset any http session that is trying to resume download (telling the server from which byte to start). The problem is that this is configured on global level and it is breaking Microsoft update (and other like SCCM). So a lot of people leave it disabled (meaning allow http partial response).

 

I would suggest you to try to enable this feature (just for the test) and see if you are still able to resume the download

@aleksandar.astardzhiev 

 

Thank you so much for the detailed information. when i uncheck the "Allow HTTP partial response" it is working as expected.

 

As you mention Disabling this option will breaking Microsoft update (and other like SCCM). So a lot of people leave it disabled (meaning allow http partial response).

So any other option to achieve my requirement.

Hey, @Jafar_Hussain ,

 

Unfortunately I don't believe there is other solution except to disable http patial response.

Not sure if I am not thinking for something else, but I belive there was feature request to be able to override this option per rule... But I am really not sure..If you have contact with sale engineer you can check with him.

 

 

@aleksandar.astardzhiev 

 

Thanks for our suggestion.

I have tried the below option and the issue has been resolved.

I have checked once i click on a resume while downloading the MSI file with by default strict file blocking profile. in the data filtering logs, i can see while resuming downloading the firewall detects the file is Microsoft.

Then i clone to strict file blocking and add a Microsoft file in the profile.

and new file blocking profile attached in security. then i am able to block the msi file downloading.

 

  • 4724 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!