hi, thanks for your help guys. I suspected that ICAP will be necessary. but I thought that even ICAP checks it only by the file extension or by server response (mime-type). Surprisingly Diladele is able to check the first bytes of file content, which is exactly what I wanted. On the other hand I don't want to check exe files by external AV for 2 reasons 1. I don't believe in its effectiveness :) 2. each user has an comercial AV on his PC As I said in the first post - I already block exe files by squid ACL. Now I'm afraid that some malware software can get through web/http by omitting this ACL (will be downloaded as jpg). thanks. Now I have to read more about available ICAP servers :) On Sun, Dec 13, 2015 at 7:32 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > For malware checking we have two working (and performance) solutions: > > http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP > http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP > > No need to block any and all executables in the world. Just enough to > check it with AV-engine. ;) > > 13.12.15 18:31, Markus пишет: >> I'm wondering if it is possible to detect (and block) certain files by >> its header/content like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning >> of any EXE/DLL file. >> >> Purpose: >> >> I'm trying to protect my internal network against unconsciously >> downloading executable files (like malware). All users traffic pass >> through our Squid proxy. >> >> What I've already done is: >> >> 1. Blocking by URL (url contains \.exe \.dll and other banned extensions) >> 2. Blocking by server's response header (MIME-type , >> Content-Disposition and so on.) >> >> But there is still a way to download an executable file when somebody >> put it on server as e.g. readme.txt. Server's response header would be >> in this case 'Content-Type: text/html;'. >> >> So none of above mentioned rules would block this file. Of course, a >> regular Web browser would show this EXE as text, which isn't >> dangerous. But we can imagine a dedicated downloader (e.g. a part of >> the malware) which can download binary code this way. >> >> So, tell me guys, if there is any solution for this? >> >> I could also use "Snort", but it would be very inflexible (I would >> like to have a whitelist of domains). >> >> even if it's possible, what about performance in real environment? >> maybe there's a way to analyze only the first bytes of the incoming >> stream? >> >> greetings >> Markus >> >> PS >> ---- >> if the string 'MZ' is too short, we can also use 'This program cannot >> be run in DOS mode' (this string is also part of EXE header). But >> probably a majority of exe packers can compress it. >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWbbnXAAoJENNXIZxhPexGUeYIAJuUrT1HI7kTu2yh/yqyJT6D > r7DXoOmoNOXjLUqNNZDC/wXBQVVXzfDFAYGXCSeUr/EHAhl+UKeNyISEK0LAbb+h > x3QUJkBytBt+b5UaUNLjf4lod2DlgT2npSXAZGoSynJkbPgKsPGfoRbKYtu88y4R > cZSoltP9T2NIZ+IXQVx1ZCz+HF0LKjFRjGt+lHPf26HnpF8CHGelMDL+QBgeA+B6 > 0PYx2OKlZjJu6fA2P6vX8CjfTTm4ZsSf960KjptWCdUEVFsVHGBEQZ5zTg5qcnmW > MKIdSWbuDUfgFerQyLHbdsWcLL+fBicas87iYidSInFOZ+keFYmf+MsEb1LNalI= > =nvsX > -----END PGP SIGNATURE----- > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
