Skip to main content
Iescudero
Iescudero
New Member
February 6, 2015
Question

Filter file type when is compressed

  • February 6, 2015
  • 8 replies
  • 13383 views

Hi everyone! 

I need to solve how can block certain types of files,  executables most, like .bat, .com, .exe, but when this type of files are compressed in a .zip, .rar or in a .cab.

Antivirus daemon can perform this in any FortiOS platform?

At this time i have two Fortigate 110C in a HA Cluster, with FortiOS v4.0,build0356,130221 (MR2 Patch 15).

 

Thanks to all!

    8 replies

    iJake
    iJake
    New Member
    February 6, 2015

    Sounds to me like you'll be better served with DLP rather than AV for this. With DLP you can block file extensions.

     

    You can use wildcards in the name or select specific file types. The FortiGate will examine archived files and act accordingly.

    Iescudero
    IescuderoAuthor
    New Member
    February 6, 2015

    Hi, Thanks for your repply!

    With Antivirus or DLP i can block certain types of files, but i need block it when the file is compressed.

    in example, i want to block *.exe files, then an user send a .exe file compressed in a .zip or .rar, then i want to the fortigate block this .zip but only when contain a .exe file.

    i hope that you understand now.

    Sorry for my bad english.

    Thanks again!

    iJake
    iJake
    New Member
    February 6, 2015

    Do you want them to send an exe if it's not compressed??

     

    If you block .exe using DLP, it should block this whether it's zipped/archived or not. The FortiGate should inspect Zipped packets with DLP enabled and block a .zip/.rar containing a .exe

    Iescudero
    IescuderoAuthor
    New Member
    February 6, 2015

    thats exactly what i want!!! now im gonna read about DLP.

    do you have some info, link or any ideas to share with me?

     

    Thanks again!

    iJake
    iJake
    New Member
    February 6, 2015

    It's not too stressing to configure - so long as its licensed and enabled under "Features"

    I've attached a snapshot of the sensor configuration, not much to it.

     

    Security Profiles > DLP > Select/Create Profile > Create new Sensor > Filter "Files" and select the file type and the action

    You'll then need to apply it to the IPv4 Policy defining the traffic you want it to match.

     

     

    Iescudero
    IescuderoAuthor
    New Member
    February 6, 2015

    Thanks!!

    iJake
    iJake
    New Member
    February 6, 2015

    No problem. Let us know how it goes.

    vmartin_FTNT
    Staff
    vmartin_FTNT
    Staff
    February 6, 2015

    There's also a Cookbook recipe about using DLP that you can find here: http://cookbook.fortinet.com/preventing-data-leaks/ In step 3, it talks about blocking .exe files.

    Iescudero
    IescuderoAuthor
    New Member
    February 6, 2015

    Thanks to all! it works with exe files, and its fine, but also we need to block .scr files, and in this case is not working.

    Is there a chance to custom the file type? or any solution would be appreciate.

     

    Thanks!!

    iJake
    iJake
    New Member
    February 6, 2015

    Have you tried using filename patterns? Putting *scr should do the trick, though not 100% sure how that works with zipped files, it should still work.

     

    The problem you'll have there is that if someone just changes the file name, it will get through...

     

    Let us know.

    Terms & ConditionsAccessibility statement