Hi. All attempts to block an .exe download fails

Hi
I was disconcerted to find that i could download a .exe even though content inspection is enabled
Content type *.exe is set to drop and "windows exe/dll" is blocked in body content type.
The website is https://www.copytrans.net/copytransheic/
This is what i can see in the logs "dstname=www.copytrans.net
arg=/bin/CopyTransHEICforWindowsv1.009.exe"

Do you have any advice please?

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Inntravel
    We'd need to see the other logs around that one to see why the firewall is allowing this. If you haven't already done so, I'd suggest opening a support case so you can securely share those logs.

    -James Carson
    WatchGuard Customer Support

  • OK, i'll log it now. Thanks

  • In URL Paths, you can also block *.exe

  • Even though I have the HTTP proxy action -> Content Types set to log for both "If matched" and "None matched" my log entries do not show the Content Type for this file.

    2022-02-16 12:42:53 Allow 10.0.1.2 54.149.145.98 https/tcp 56012 443 Trust-VLAN External ProxyAllow: HTTP request URL match (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="590" msg_id="1AFF-000B" proxy_act="HTTP-Client.DPI" rule_name="Default" dstname="www.copytrans.net" arg="/bin/CopyTransHEICforWindowsv1.009.exe" geo_dst="USA" Traffic
    2022-02-16 12:42:53 Allow 10.0.1.2 54.149.145.98 https/tcp 56012 443 Trust-VLAN External ProxyAllow: HTTP Request categories (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.DPI" cats="Information Technology" op="GET" dstname="www.copytrans.net" arg="/bin/CopyTransHEICforWindowsv1.009.exe" action="WebBlocker.DPI" geo_dst="USA" Traffic
    2022-02-16 12:42:55 Allow 10.0.1.2 54.149.145.98 https/tcp 56012 443 Trust-VLAN External HTTP request (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.DPI" op="GET" dstname="www.copytrans.net" arg="/bin/CopyTransHEICforWindowsv1.009.exe" sent_bytes="542" rcvd_bytes="10609409" elapsed_time="2.247021 sec(s)" app_id="12" app_cat_id="14" app_name="Mozilla Firefox" app_cat_name="Web services" sig_vers="18.198" reputation="50" geo_dst="USA" Traffic

  • The hex header of this .exe file is:
    4D5A50

    The beginning of the hex string in the Windows EXE/DLL Body Content Type to match is:
    4d5a90

    Clearly these do not match.

    A long time ago, on a previous forum, one user suggested using this pattern match.
    My entry for this called EXE - generic

    %0x4d5a%*

    This string does match the downloaded .exe and would block it

  • Thanks for looking again Bruce. I have added the new hex string. I will check if this worked tomorrow.
    How did you find the hex of the .exe please?

  • Using a hex editor - HxD
    You can download this, but it is an .exe file ;-)

  • Hi Bruce. Brilliant, that works
    Thanks very much

Sign In to comment.