Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 84221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Appliance - Download Types

uncleben6667

We're actually doing some tests with the virtual web appliance (v3.9.4.1). My question is regarding download types; you can block/warn/allow file types, which is fine. But in this specific case, .msp files are being categorized as microsoft word (being allowed) instead of Windows Installer (being blocked). Is there a way to change the file type category of a specific extension?

Thanks.

:56430


This thread was automatically locked due to age.
  • 0

    Hi Uncleben6667,

    The download type of a file is determined by inspecting the file by our scanning engine, and not based on extentions.  If you see a file that isn't identified correctly, we would like to get a sample of it so we can determine the problem.  I would suggest opening a support case with us so we can look at it and make any correction in our engine if needed.

    Petr.

    :56465
  • 0

    Hi Uncleben6667, 

    I think you should be aware of the full picture: /search?q= 56072

    Take this view however you wish. As far as I'm concerned this is a vulneribility as the scanner decides to ignore files that are known to harbour Mac OSX malware. Which, even Sophos have to agree, is on the rise. 

    Anyhow, I thought I'd share this to highlight how the downloading scanning works...

    :57711
  • 0

    I just wanted to update this and let you know that in SWA v4 we now scan within archives as well, and block based on the content inside the archive.

    Petr.

    :57717
  • 0

    Its all very well to know that all is being scanned but what about having some updated download types (like Microsoft docx, xlsx etc) so we can control what the users are allowed to scan. At the momenty docx seems to be treated as a zip file. An admin created type would also benefit those in specialized industries.

    The attachment shows a docx file being downloaded.

    Paul

    :58061
  • 0 in reply to Paulba

    I seem to be having a similar issue. Users aren't able to download .docx files too. When did Microsoft change the file standard 2007? 2010? I know it's been long enough that Sophos should have written this into the code.

    Ryan

  • 0 in reply to rynoman2k3
    Hi Ryan,

    The 'Microsoft Word (doc)' download type includes all versions of Word documents including docx.

    What download types are you trying to block with your policy when docx files are getting caught? The only way I could reproduce what you're seeing is by actually having a policy that blocks 'Microsoft Word (doc)', in which case the behaviour is as expected...

    Regards,
    Rich
  • 0 in reply to Paulba
    Hi Paul,

    I've tried a number of things to reproduce the issue you report. The Web Appliance can definitely tell the difference between a zip and a docx file, but there may be other factors at play.

    Download type blocking on the SWA looks at a number of factors when deciding what to block, and will make a decision as soon as there's information to back it up. It is likely that in your case, the server is reporting an incorrect mime-type.

    When downloading a file, the server reports a MIME-type for the file in the HTTP response headers. This information is available to the Web Appliance as soon as the web server starts sending the response, before the whole download has been received.

    Sometimes Web server send an incorrect or inaccurate mime-type. If the server you're downloading from sends a MIME-type that suggests the file is a zip, and you have a policy that blocks zips, then we will block the response immediately without waiting to download the file first. In general, if you have a policy that blocks something, you don't want to wait until you've downloaded a great big file before making the decision to block it if you already have good reason to believe it's bad.

    Regards
    Rich
  • 0 in reply to RichBaldry
    I'm not trying to block any Microsoft Office files is the funny thing. I have it opened up to all users. I do however have .ZIP restricted to a policy. Users can only download .ZIP files if they have permission and I will add them to my .ZIP_ALLOWED policy.

    The problem I am encountering quite frequently is when users are going to xyz.com site and want to download a .pptx or .xlsx etc. Sophos Web Proxy seems to want to block this from users. However anyone whom has .ZIP downloadable access has no problems obtaining these types of files.
  • 0 in reply to rynoman2k3

    This is what I have my Default Policy Download Types set to:
    ActionActiveX Controls (ocx) Allow
    Adobe Flash Video (flv, swf) Allow
    Adobe PDF (pdf) Allow
    Audio Video Interleave (avi) Allow
    Cabinet Archive (cab) Allow
    DOS Command File (com) Block
    ISO Image (iso) Block
    Java Applet (class) Allow
    Java Archive (jar) Allow
    Javascript (js) Allow
    MPEG Audio (mp3) Allow
    MPEG Video (mpg, mpeg) Allow
    Microsoft Document (xps) Allow
    Microsoft Excel (xls) Allow
    Microsoft Powerpoint (ppt) Allow
    Microsoft Project (mpp) Allow
    Microsoft Silverlight (xap) Alllow
    Microsoft Word (doc) Allow
    Midi (midi) Allow
    Other Archives (bz2, gz, Z) Allow
    Other Executables Block
    QuickTime Video (mov) Allow
    RAR Archive (rar) Allow
    RealAudio (ra) Allow
    RealMedia (rm) Allow
    Rich Text Format (rtf) Allow
    StuffIt (sit) Block
    Tarball (tar) AllowWarnBlock
    Visual Basic Extensions (vbx) Allow
    Wave (wav) Allow
    Windows Executable (exe) Block
    Windows Installer (msi) Allow
    Windows Library File (dll) Allow
    Windows Media Audio (wma) Allow
    Windows Media Video (wmv) Allow
    Word Perfect (wpd) Allow
    Zip Archive (zip) Block


    X Allow user feedback X Block PUA downloads 
     

  • 0 in reply to rynoman2k3
    Can you please provide a URL to a file that is docx and being blocked due to zip, so that we can examine both the file and the web server headers?
Unfiltered HTML