This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Thinking about blocking executable file downloads - Gotchas?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Thinking about blocking executable file downloads - Gotchas?

scottsander
L3 Networker

‎07-06-2016 06:06 AM

In our environment, we have eliminated the scourge of people being local administrators on computers, with the exception of administrative accounts assigned to some of the IT personnel.  I'm thinking about blocking the DLL, DMG, EXE, MSI, and PE file types for everyone but IT personnel.

 

Are there any caveats or big gotchas related to doing so?  I'm thinking that things like GoToMeeting/WebEx/Skype For Business conferences might be a problem.  Are there any good ways to work around that?

0 Likes Likes
4 REPLIES 4

Roby_Sreejith
L4 Transporter

‎07-06-2016 07:20 AM

You need to create 2 security policies.

  • Create a new custom url category.

Then whitelist  the urls page where you download trusted urls like gotomeeting etc.

 

  • Then create a file blocking to allow exe download
  • Create security policy above your web-browsing policy and associate above 2 profiles

If you want you can restrict for users also

  • Create new file blocking profile to block all exe, you can associate with this your web browsing rule or any rule which you want to block exe.
PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
0 Likes Likes

bmorris1
L4 Transporter

‎07-06-2016 07:24 AM

I would think about what applications in your environment do automatic updates. Google chrome for example is one app that is always downloading updates in the from of GoogleUpdate.exe. Another thing to consider would be Windows updates as they consist of DLL files I believe.

 

A good way to work around it would be to create a custom URL category that consists of URLs that you are ok with PE files being downloaded from. Then create a new security rule such as 'whitelist .exe' and add this category to it and a new file blocking profile to alert on all files (that way you can confirm only the files you want are getting through via this rule).

 

I hope this helps you out!

 

Ben

0 Likes Likes

DPoppleton
L3 Networker
In response to bmorris1

‎12-21-2016 11:31 AM

How do you handle things when the files don't come from a specific URL, but instead download from Akamai or the like? These can come from many different IP addresses. We are blocking all PE files, but there are some that need to come through and we wind up allowing a specific user to download anything from the internet, which isn't a good solution.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎12-21-2016 02:10 PM

The biggest gotchas is going to always be applications that update in the background. You probably don't want to be in a sitaution where you have to spend time upgrading stupid things like Chrome or FireFox. That being said if you manage those already through something like SCCM then it really doesn't matter that much really. 

0 Likes Likes
  • 3157 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks