Hello Markus, Indeed you need to have an ICAP server for example. The one I represent can "look into first 256 bytes" of the stream to block by real contents as indicated on http://docs.diladele.com/administrator_guide_4_3/web_filter/policies/blocking_file_downloads.html. Of course any other ICAP server will do the same job too. One possible is "greasy spoon icap" server. Best regards, Rafael Akchurin Diladele B.V. -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Markus Sent: Sunday, December 13, 2015 1:32 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: blocking certain file types by content I'm wondering if it is possible to detect (and block) certain files by its header/content like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning of any EXE/DLL file. Purpose: I'm trying to protect my internal network against unconsciously downloading executable files (like malware). All users traffic pass through our Squid proxy. What I've already done is: 1. Blocking by URL (url contains \.exe \.dll and other banned extensions) 2. Blocking by server's response header (MIME-type , Content-Disposition and so on.) But there is still a way to download an executable file when somebody put it on server as e.g. readme.txt. Server's response header would be in this case 'Content-Type: text/html;'. So none of above mentioned rules would block this file. Of course, a regular Web browser would show this EXE as text, which isn't dangerous. But we can imagine a dedicated downloader (e.g. a part of the malware) which can download binary code this way. So, tell me guys, if there is any solution for this? I could also use "Snort", but it would be very inflexible (I would like to have a whitelist of domains). even if it's possible, what about performance in real environment? maybe there's a way to analyze only the first bytes of the incoming stream? greetings Markus PS ---- if the string 'MZ' is too short, we can also use 'This program cannot be run in DOS mode' (this string is also part of EXE header). But probably a majority of exe packers can compress it. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
