As a Proxy Administrator, I would like to create policy to prevent my users from downloading files.  Using MIME type or file extension is simple, but both can easily be spoofed.  I would like to write policy to more accurately control the types of files my users access, regardless of the HTML MIME type header or file extension.

ProxySG policy engine provides the ability to examine a specified number of initial bytes (data.33 section of the MSI condition below, data.4 of the DOCX condition below) contained in an HTTP response to identify apparent data types using Regular Expression. Here are two example of how to test policy against  requests for an MSI file and a DOCX file :

MSI:
<Cache>
http.response.data.33.regex="^\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06"

DOCX:
<Cache>
http.response.data.4.regex="^\x50\x4B\x03\x04"

These sample policies use Regular Expression to represent the hexadecimal value for MSI or DOCX, as defined by the third party website, http://filext.com as detailed here:

Detailed information for file extension MSI:

Identifying characters Hex: D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 06

Because this string is in Hexadecimal code, it needs to be rewritten for policy in Regular Expression.  For that, use the following syntax: "^\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1".  

Please see Appendix E in the Content Policy Language reference for details on writing Regular Expression elements.

Note: Matches to this type of policy will function on unencrypted traffic.  For HTTPS content, ensure that SSL interception and decryption is configured on the ProxySG Appliance.