What Does File Blocking Profile Look For?

What Does File Blocking Profile Look For?

21238
Created On 01/15/21 23:05 PM - Last Modified 05/08/23 05:51 AM


Question


What does File Blocking profile look for? What attributes of a file determines the file type "THREAT ID/NAME" listed in Data Filtering Logs?

Environment

Answer


  1. The firewall looks at a file's magic number when determining the file type to enforce in the File Blocking profile. 
  2. A magic number is used to identify the file type at runtime when the file is opened and a program reads the data.
  3. Magic numbers are a variable length hexadecimal that can be found at the beginning of the file. 
  4. A complete list can be found Here (external site).

Note: Do not mistake file extension (.doc, .png, .exe, etc.) as the magic number . For example, if a file with a file extension of .docx has a magic number of 4D 5A (MZ). the firewall will identify the file type as PE, not docx. 

 

Additional Information


FileType list with the Threat-ID number
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEtCAK
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCOGCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language