Skip to main content
Hosemacht
Explorer
May 10, 2017
Question

Block Javascript in ZIP Archives ?

  • May 10, 2017
  • 1 reply
  • 5393 views

Hi all,

 

I've got a Fortigate 200E Cluster running with FortiOS 5.4.4.

I was trying to block Javascript files that are contained in Zip Archives

but i dont want to block all Javascript or all Zip Archives.

 

Is it possible to block those files only in this particular condition?

 

The background:  a flood of Emails with links to such files and if a user opens the zip and launches the js it triggers a download

of an disguised maleware witch will be renamed by the script to an *.exe file and then be executed.

 

pretty hard to detect

 

Please help

 

Regards,

the giraffe that wasnt president

    1 reply

    Carl_Wallmark
    New Member
    May 13, 2017

    Hi,

     

    I have also been looking for this, and it might be possible with an IPS signature, but I dont think there is a way in DLP.

     

    While I´m searching I have turned off the possibility to run .js files on our computers via "Software Restrictions" in Group Policy Management.

    Hosemacht
    HosemachtAuthor
    Explorer
    May 15, 2017

    Hi,

     

    unfortunately you are right there is no way in dlp to solve this.

    it would be very appreciated if fortinet would make an "and"/"or" rule to combine the filters in the sensor.

     

    your "work around" does it very well and it doesnt affect the .js files that are executed in the browser what i was afraid of.

     

    thanks for you comment and for the hint .

     

    Regards

    the giraffe that wasnt president

     

    Carl_Wallmark
    New Member
    May 15, 2017

    no problem ;)

     

    You can also do the same for .vbs but make sure no software is using it, then you need to do an exception.