I'm wondering if it is possible to detect (and block) certain files by its header/content like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning of any EXE/DLL file. Purpose: I'm trying to protect my internal network against unconsciously downloading executable files (like malware). All users traffic pass through our Squid proxy. What I've already done is: 1. Blocking by URL (url contains \.exe \.dll and other banned extensions) 2. Blocking by server's response header (MIME-type , Content-Disposition and so on.) But there is still a way to download an executable file when somebody put it on server as e.g. readme.txt. Server's response header would be in this case 'Content-Type: text/html;'. So none of above mentioned rules would block this file. Of course, a regular Web browser would show this EXE as text, which isn't dangerous. But we can imagine a dedicated downloader (e.g. a part of the malware) which can download binary code this way. So, tell me guys, if there is any solution for this? I could also use "Snort", but it would be very inflexible (I would like to have a whitelist of domains). even if it's possible, what about performance in real environment? maybe there's a way to analyze only the first bytes of the incoming stream? greetings Markus PS ---- if the string 'MZ' is too short, we can also use 'This program cannot be run in DOS mode' (this string is also part of EXE header). But probably a majority of exe packers can compress it. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
