How to handle jdownloader?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to handle jdownloader?

L3 Networker

Hi guys,

I was wondering what the best way to handle jdownloader or other download managers? Are they treated as seperate apps? Is the only way to deal with this via QoS policies? I'd love to hear about your experiences.

Alex

1 accepted solution

Accepted Solutions

Hello,

Downloader apps aren't using any specific protocols : they download files over HTTP or FTP, so creating an application is hard/non-revelant to the definition of an application as they are used in PA.

View solution in original post

12 REPLIES 12

L4 Transporter

Hi Alex,

Do you mean downloading the installer or the downloads managed by jdownloader.?

If you want ot manage downloading the installer, it should be an exe file , which you can handle through File blocking profiles and set appropriate actions and applying to specific rules.

We currently do not have the jdownloader as an application in our App database.

Regards,

Parth

Hi Parth,

I most definitely mean the downloads handled by Jdownloader. Would this require a new application signature in Applipedia to be managed?

Thanks,

Alex   

Unless you create a custom app on your own you can request app enhancement from the Apps and Threats Research Center.

http://www.paloaltonetworks.com/researchcenter/tools/

From there you can click on Submit an app and provide details there.

Stupid question perhaps and a tad off topic but is there any cost attached with requesting a custom app/signature? Or will any new app eventually be included in the standard application db (provided it's accepted as a new app)?

No cost to my knowledge.

The tricky part is as you already mentioned to convince the app-people that this particular app should be part of the global appid-db.

Hello,

Downloader apps aren't using any specific protocols : they download files over HTTP or FTP, so creating an application is hard/non-revelant to the definition of an application as they are used in PA.

Thanks, mate. I was pretty sure that this was the answer, but wanted to hear back from the community.

Alex

I disagree...

If you take a look at applipedia (http://apps.paloaltonetworks.com/applipedia/) and select file-sharing and browser-based you will see shitload of apps that is just that - downloaders:

4shared, bigupload, easy-share, megaupload and so on (currently 84 appid's matching the above search).

Hopefully the download "accelerator" that the thread starter uses will use some useragent or such which you can identify the flow at (and by that create your custom application).

So ... If a jDownloader is used to download a file on Easyshare, is it Easyshare application or jDownloader ?

You are mixing Websites that are providing a service (so it can be called an application) and Programs that runs on PCs.

4shared, bigupload, easy-share, megaupload : all of them are website that are providing a service and so it is considered as an application. If you use InternetExplorer to access Dropbox or a third party program, it will be considered as Dropbox application.

In addition, nowadays many downloader programs are faking User-Agents (or at least give people the ability to change it in its configurations menus) to bypass corp restrictions or filtering.

In that case I would use best-match which would give jDownloader as final result.

You can compare it to using your web-browser and visit youtube. Is it web-browsing or is it youtube? Actually its both (which you will see if you enable log on session start how the flow hops between applications).

You can also search on "management" and "client-server" in applipedia to see various applications (runned on the client) and not applications as in which url is being visited.

But sure in order to successfully identify jdownloader there has to be something to identify at.

Useragent is one of the things (since its using http). Another thing could be, in combination with useragent, which headers are actually being used (present) and in which order? Perhaps chunked downloading is being used? Or multiple sessions towards the same ip address? and so on.

There can also be secondary trigger points which can be used - in case the application phones home, similar to how skype is being identified (sure you can block skype with PA but to do this you are forced to allow skype-probe to pass through).

With PA you can at least be sure that HTTP is allowed and nothing else. If you want to block which browser the client uses to download stuff over HTTP you need to apply whitelisting on the client computers (there are several products that does this on the market with various results, http://www.cryptzone.com/products/se46-application-whitelisting/ is one of them).

If that was useful/revelant , there would already exist applications called Firefox, Chrome, IE and Safari. They are all clients for well known protocols.

If you look at client-server apps, they do not guarantee you are usuing official client for the application, it only recognizes the network behaviour/protocol of the service offered, not the program/binary behind this traffic. In addition, while User-Agent will work in most cases for HTTP (if you except the fact that it can be faked easily), other protocols don't have this kind of feature (ie: smtp, imap, pop, remote desktop, exchange ...all of them have compatible but no way to identify it at firewall level)

In fact, PaloAlto should have called it ServiceID instead of AppID, it would have been clearer for everyone.

Note that I am not against a "ProgramID" but I barely see it maintainable and accurate.

Well of course because PA is analyzing the network flows and nothing else.

Anyone can use Wget to make it look like a Firefox session (or even do this manually with a perl-script or such) - faking useragent, which headers are being used (and in which order), run a check for latest google bad sites update and other stuff a true Firefox session would do on the network.

Perhaps Globalprotect can be expanded in future to cover what actually happends on the client (and server) side aswell?

IMHO ProtocolID (instead of ApplicationID) would be a better description of what PA actually is doing in order to not confuse with the word application which often means software on a computer. But then someone would argue that windowsupdate isnt a protocol while HTTP is and so on 😉

  • 1 accepted solution
  • 6084 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!