Thinking about blocking executable file downloads - Gotchas?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Thinking about blocking executable file downloads - Gotchas?

L3 Networker

In our environment, we have eliminated the scourge of people being local administrators on computers, with the exception of administrative accounts assigned to some of the IT personnel.  I'm thinking about blocking the DLL, DMG, EXE, MSI, and PE file types for everyone but IT personnel.

 

Are there any caveats or big gotchas related to doing so?  I'm thinking that things like GoToMeeting/WebEx/Skype For Business conferences might be a problem.  Are there any good ways to work around that?

4 REPLIES 4

L4 Transporter

You need to create 2 security policies.

  • Create a new custom url category.

Then whitelist  the urls page where you download trusted urls like gotomeeting etc.

 

  • Then create a file blocking to allow exe download
  • Create security policy above your web-browsing policy and associate above 2 profiles

If you want you can restrict for users also

  • Create new file blocking profile to block all exe, you can associate with this your web browsing rule or any rule which you want to block exe.
PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com

L4 Transporter

I would think about what applications in your environment do automatic updates. Google chrome for example is one app that is always downloading updates in the from of GoogleUpdate.exe. Another thing to consider would be Windows updates as they consist of DLL files I believe.

 

A good way to work around it would be to create a custom URL category that consists of URLs that you are ok with PE files being downloaded from. Then create a new security rule such as 'whitelist .exe' and add this category to it and a new file blocking profile to alert on all files (that way you can confirm only the files you want are getting through via this rule).

 

I hope this helps you out!

 

Ben

How do you handle things when the files don't come from a specific URL, but instead download from Akamai or the like? These can come from many different IP addresses. We are blocking all PE files, but there are some that need to come through and we wind up allowing a specific user to download anything from the internet, which isn't a good solution.

Cyber Elite
Cyber Elite

The biggest gotchas is going to always be applications that update in the background. You probably don't want to be in a sitaution where you have to spend time upgrading stupid things like Chrome or FireFox. That being said if you manage those already through something like SCCM then it really doesn't matter that much really. 

  • 3156 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!