|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 14.12.15 2:22, Markus пишет: > hi, > thanks for your help guys. I suspected that ICAP will be necessary. > but I thought that even ICAP checks it only by the file extension or > by server response (mime-type). Surprisingly Diladele is able to check > the first bytes of file content, which is exactly what I wanted. ICAP-Clamav solution does the same. You can adjust it as you wish. > On the other hand I don't want to check exe files by external AV for 2 reasons > 1. I don't believe in its effectiveness :) Faith is not an option. Practical applications for several years proved their effectiveness. Of course, a matter of personal faith can deny a personal experience. > 2. each user has an comercial AV on his PC So what? This does not preclude the need to filter Internet content. Practice shows that one does not exclude the other. > As I said in the first post - I already block exe files by squid ACL. > Now I'm afraid that some malware software can get through web/http by > omitting this ACL (will be downloaded as jpg). With this purpose and is used ICAP/eCAP solution(s). > > thanks. Now I have to read more about available ICAP servers :) > > On Sun, Dec 13, 2015 at 7:32 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote: >> > For malware checking we have two working (and performance) solutions: > > http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP > http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP > > No need to block any and all executables in the world. Just enough to > check it with AV-engine. ;) > > 13.12.15 18:31, Markus пишет: > >>> I'm wondering if it is possible to detect (and block) certain files by > >>> its header/content like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning > >>> of any EXE/DLL file. > >>> > >>> Purpose: > >>> > >>> I'm trying to protect my internal network against unconsciously > >>> downloading executable files (like malware). All users traffic pass > >>> through our Squid proxy. > >>> > >>> What I've already done is: > >>> > >>> 1. Blocking by URL (url contains \.exe \.dll and other banned extensions) > >>> 2. Blocking by server's response header (MIME-type , > >>> Content-Disposition and so on.) > >>> > >>> But there is still a way to download an executable file when somebody > >>> put it on server as e.g. readme.txt. Server's response header would be > >>> in this case 'Content-Type: text/html;'. > >>> > >>> So none of above mentioned rules would block this file. Of course, a > >>> regular Web browser would show this EXE as text, which isn't > >>> dangerous. But we can imagine a dedicated downloader (e.g. a part of > >>> the malware) which can download binary code this way. > >>> > >>> So, tell me guys, if there is any solution for this? > >>> > >>> I could also use "Snort", but it would be very inflexible (I would > >>> like to have a whitelist of domains). > >>> > >>> even if it's possible, what about performance in real environment? > >>> maybe there's a way to analyze only the first bytes of the incoming > >>> stream? > >>> > >>> greetings > >>> Markus > >>> > >>> PS > >>> ---- > >>> if the string 'MZ' is too short, we can also use 'This program cannot > >>> be run in DOS mode' (this string is also part of EXE header). But > >>> probably a majority of exe packers can compress it. > >>> _______________________________________________ > >>> squid-users mailing list > >>> squid-users@xxxxxxxxxxxxxxxxxxxxx > >>> http://lists.squid-cache.org/listinfo/squid-users > >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWbdeOAAoJENNXIZxhPexGV2gIAM0nXZAMeD2QNuGaU3i5outm rDWOhVbSglJwZU+2TX+Wr/mg23zyTEMZDvWGWmnatwgOeFF6VRiZBhkAwfxSZxd0 c2CSIXLEU+XtSswy02FONzBakjXsuPlR+WwwvadlextCTeMejS0uTDiAEKhtaS3+ S8pjlVl1bbGYDvhNoDp0E1Koq8/r69dzxs0mZE1p23gRPcQ2skadyjwpxn8Om88x gF1J2Vy2JjcTM15ZmM8VkDxwXb9XVmxCCdunOMHm5yxWyLkAd6jlzqVX8IYDJdMX 8jr+B3mNkd4ZkU8Cp6rJ37jJsuowplYO/DGHWzgAS3csUp6occBu6VizGIjZn+0= =6vxB -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
