-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 For malware checking we have two working (and performance) solutions: http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP No need to block any and all executables in the world. Just enough to check it with AV-engine. ;) 13.12.15 18:31, Markus пишет: > I'm wondering if it is possible to detect (and block) certain files by > its header/content like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning > of any EXE/DLL file. > > Purpose: > > I'm trying to protect my internal network against unconsciously > downloading executable files (like malware). All users traffic pass > through our Squid proxy. > > What I've already done is: > > 1. Blocking by URL (url contains \.exe \.dll and other banned extensions) > 2. Blocking by server's response header (MIME-type , > Content-Disposition and so on.) > > But there is still a way to download an executable file when somebody > put it on server as e.g. readme.txt. Server's response header would be > in this case 'Content-Type: text/html;'. > > So none of above mentioned rules would block this file. Of course, a > regular Web browser would show this EXE as text, which isn't > dangerous. But we can imagine a dedicated downloader (e.g. a part of > the malware) which can download binary code this way. > > So, tell me guys, if there is any solution for this? > > I could also use "Snort", but it would be very inflexible (I would > like to have a whitelist of domains). > > even if it's possible, what about performance in real environment? > maybe there's a way to analyze only the first bytes of the incoming > stream? > > greetings > Markus > > PS > ---- > if the string 'MZ' is too short, we can also use 'This program cannot > be run in DOS mode' (this string is also part of EXE header). But > probably a majority of exe packers can compress it. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWbbnXAAoJENNXIZxhPexGUeYIAJuUrT1HI7kTu2yh/yqyJT6D r7DXoOmoNOXjLUqNNZDC/wXBQVVXzfDFAYGXCSeUr/EHAhl+UKeNyISEK0LAbb+h x3QUJkBytBt+b5UaUNLjf4lod2DlgT2npSXAZGoSynJkbPgKsPGfoRbKYtu88y4R cZSoltP9T2NIZ+IXQVx1ZCz+HF0LKjFRjGt+lHPf26HnpF8CHGelMDL+QBgeA+B6 0PYx2OKlZjJu6fA2P6vX8CjfTTm4ZsSf960KjptWCdUEVFsVHGBEQZ5zTg5qcnmW MKIdSWbuDUfgFerQyLHbdsWcLL+fBicas87iYidSInFOZ+keFYmf+MsEb1LNalI= =nvsX -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
