Palo Alto Networks Knowledgebase: Tips from the Field: File blocking profile

Tips from the Field: File blocking profile

16214
Created On 07/18/19 19:27 PM - Last Updated 07/18/19 20:12 PM
Resolution

Ever wonder where to start when configuring file blocking profiles, or if it's even useful to enable in the first place? Some file types, like EXE or PE, seem straightforward. But we sometimes overlook other file types—for example, a friendly .hlp file, a funny screensaver from a friend, or an inconspicuous .lnk file. We'll take a look at a couple of different file types that can be controlled by the file blocking profile so you can decide what's useful to block.

 

 

Watch those hlp and lnk file types

The help and link file types are primarily used in the Windows operating system to provide some assistance to the user, but in most cases, there's no reason to download such files from the internet.

 

Blast from the past with scr

Used mostly for installable screensavers, the scr file format was most popular in the 90s and heavily abused as a transport for malware.

 

The power of multi-level-encoding

Before PAN-OS 7.0, the Palo Alto Networks firewall was able to decode up to two levels of encoding. Files exceeding this level would be allowed to bypass file blocking. Since PAN-OS 7.0, the maximum level of decoding has been increased to 4.

 

Examples of encoding levels:

  • Word document (docx) in a zip file sent by email defines three levels of encoding
  • Word document (docx) zipped and sent through HTTP chunk encoding and gzip compression defines four levels of encoding

 

Any files hidden in more levels of encoding are now be blocked using Multi-Level-Encoding.

 

PE files from unknown category websites

Another consideration—when allowing the download of PE or Portable Executable files from the internet, where do they come from?

 

If the website is a trusted or known entity providing trustworthy tools, you may want to allow these files to be downloaded. Most malware sites, on the other hand, are either already categorized as a malware site, or have only recently been registered and are in an unknown category.

 

Setting up a file blocking profile for PE files, in conjunction with a security policy restricting access to unknown, malware, parked, phishing, and private-IP-address categories can help prevent the download of malware while allowing legitimate downloads from trustworthy sites.

 

Below you can see an example security policy where rule #1 is intended to block filetypes from certain categories, rule #2 will allow downloads from certain categories and rule #3 will be the catchall for all other outbound sessions

 

2016-04-26_11-49-22.jpg

 

 

For a detailed example of multi-level decoding, take a look at Tips & Tricks: Multi-Level Decoding and Blocking File Blocking Profile.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT8CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language