Apparent Data Types and the Edge SWG (ProxySG).
What are apparent data types?
You want information about Apparent Data Types
The Apparent Data Type feature, used through policy, identifies data content associated with Microsoft DOS and Windows executable files. When used in a deny policy, the purpose of this object is to deny executable downloads and block drive-by installation of spyware.
When specifying Apparent Data Type in the VPM (VPM > Destination > Apparent Data Type...), you can select DOS/Windows Executable (which includes .exe, .dll, and .ocx files) or Microsoft Cabinet File (.cab files which can be used by spyware programs to propagate ActiveX controls). In addition to the preceding list, this object can also be configured to leverage the internal Content Analysis service (on Advanced Secure Gateway appliances) or an external Content Analysis appliance to examine the contents of archive files, (such as .zip and .rar files).
The CPL syntax used to test the Apparent Data Type of HTTP response data is as follows:
http.response.apparent_data_type = executable | cabinet
Also refer to Article 170664, which differentiates Apparent Data Types from HTTP MIME Types and File Extensions.