Yuri Voinov wrote: > Think more. ALL ICAP solutions checks content. Diladele is not only solution which checks content. [...] > You really think executable files can have only known extension? My way of thinking was like that: instead of testing with AV each .exe or .zip file better block it out (except for whitelist domains). Because testing with AV needs CPU/RAM. But as we already established - executables can be downloaded as JPG /TXT or whatever. If so - AV makes only sense if we test every kind of extensions/streams. Right? let's consider such possible case: here we have putty.exe (without virus ;-) , but saved as txt file: http://6web.pl/~mserafin/putty.txt now we can just download it and change extension for exe. My question is - can ICAP-Clamav detect that it's windows executable and block it? (even without testing against viruses)? and here more complicated case: http://6web.pl/~mserafin/putty_zip.txt (it's a regular ZIP file with putty.exe inside) Can ICAP-Clamav deal with it? thx! On Sun, Dec 13, 2015 at 9:47 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Finally, > > 14.12.15 2:22, Markus пишет: >> hi, >> thanks for your help guys. I suspected that ICAP will be necessary. >> but I thought that even ICAP checks it only by the file extension or >> by server response (mime-type). Surprisingly Diladele is able to check > > Think more. ALL ICAP solutions checks content. Diladele is not only solution > which checks content. > >> the first bytes of file content, which is exactly what I wanted. >> On the other hand I don't want to check exe files by external AV for 2 >> reasons >> 1. I don't believe in its effectiveness :) >> 2. each user has an comercial AV on his PC > > You need to learn - not all commercial anti-virus software detects all. And > vice versa. Therefore, even if an external antivirus control reduces the > probability of malware penetration just twice - it should be used. > > Also, remember one thing. Caching Proxy can be infected - and then you get a > large-scale epidemic, regardless used on the client computer antivirus > software or not. > > I have encountered similar situations in the past and they usually lead to > large-scale network failures. > >> As I said in the first post - I already block exe files by squid ACL. > > You really think executable files can have only known extension? > >> Now I'm afraid that some malware software can get through web/http by >> omitting this ACL (will be downloaded as jpg). > > Sure. That is why you will be forced to use only one really existing > solution. > >> >> thanks. Now I have to read more about available ICAP servers :) >> >> On Sun, Dec 13, 2015 at 7:32 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote: >>> >> For malware checking we have two working (and performance) solutions: >> >> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP >> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP >> >> No need to block any and all executables in the world. Just enough to >> check it with AV-engine. ;) >> >> 13.12.15 18:31, Markus пишет: >> >>> I'm wondering if it is possible to detect (and block) certain files by >> >>> its header/content like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning >> >>> of any EXE/DLL file. >> >>> >> >>> Purpose: >> >>> >> >>> I'm trying to protect my internal network against unconsciously >> >>> downloading executable files (like malware). All users traffic pass >> >>> through our Squid proxy. >> >>> >> >>> What I've already done is: >> >>> >> >>> 1. Blocking by URL (url contains \.exe \.dll and other banned >> >>> extensions) >> >>> 2. Blocking by server's response header (MIME-type , >> >>> Content-Disposition and so on.) >> >>> >> >>> But there is still a way to download an executable file when somebody >> >>> put it on server as e.g. readme.txt. Server's response header would be >> >>> in this case 'Content-Type: text/html;'. >> >>> >> >>> So none of above mentioned rules would block this file. Of course, a >> >>> regular Web browser would show this EXE as text, which isn't >> >>> dangerous. But we can imagine a dedicated downloader (e.g. a part of >> >>> the malware) which can download binary code this way. >> >>> >> >>> So, tell me guys, if there is any solution for this? >> >>> >> >>> I could also use "Snort", but it would be very inflexible (I would >> >>> like to have a whitelist of domains). >> >>> >> >>> even if it's possible, what about performance in real environment? >> >>> maybe there's a way to analyze only the first bytes of the incoming >> >>> stream? >> >>> >> >>> greetings >> >>> Markus >> >>> >> >>> PS >> >>> ---- >> >>> if the string 'MZ' is too short, we can also use 'This program cannot >> >>> be run in DOS mode' (this string is also part of EXE header). But >> >>> probably a majority of exe packers can compress it. >> >>> _______________________________________________ >> >>> squid-users mailing list >> >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >> >>> http://lists.squid-cache.org/listinfo/squid-users >> >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWbdlQAAoJENNXIZxhPexGJTUH/2DC/xG9EsI5oR0VHJsKuoid > 2gYed3/wEq1uA2VJCZVe2Cbnr9mEkA25Kg6xEUoMUVNGI8zRGimt1BSiXk5HK+7G > P0B588oY3R5TpgwwREmF6ZKnqgX6X0weORM2QzEwS0K/FiWOY05LJ4XoX32lqIfq > fYokJ2MCtgvRFtXA7vKxokHA5IyG5xgKf4fYfDnXY2wN+yCaYj2GqACpzfNzn9xn > Zbiqf1DH0S5hIEac5n1Z5oPmEjcEUgVlkeJ8i8nCCIdsinBAhYVC9TCK9ZDJymuF > 1IkBHHJAyj5UoJHOB2k1Nkihx4faRfdLc2rTcNkzXvT34kXjUbXFfvEkz0UYUkU= > =fk/o > -----END PGP SIGNATURE----- > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
