ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

(Cloud) A PDF file is blocked as an Executables.


Article ID: 168921


Updated On:


Web Security Service - WSS


When a ThreatPulse (Cloud) Web Security Service policy rule is set to Block the Executables File Type, the policy blocks a PDF file, yet another PDF file is accessible.

This article describe the methods used to determine Executables and why the PDF is blocked.


These following are the guidelines that the Web Security Service uses to determine Executables (this is not an exhaustive list).
  • HTTP response headers (application/octet-stream can cause false-positives)
  • HTTP file extensions
  • Magic bytes
  • Content dispositions
  • Others
The following CPL summarizes an object represented as Executables, but not limited to:
define condition Object_RepresentedAs_Executable
; Test URL extension
; Test for content-type headers
; Test for content-disposition (how to save) headers
response.x_header.Content-Disposition = "\.(exe|com|cab|ocx|dll|msi)($|[^a-z0-9])"

NOTE: Blocking by file extension and its MIME type is not currently possible.

This Executable rule blocks the PDF because the content was delivered with the content-type as application/octect-stream.

  • serves the file as Application/Octect-Stream, which tells the browser it might contain executable content even if it delivers .pdf file.
  • It is just another way to deliver content. In this case, it’s likely used to prompt the Save As dialog instead of displaying the PDF inside the browser.
The below .pdf download links are downloadable.

The content-type here is application/pdf. Notice that they display inside the web browser rather than prompt with Save As dialog.



This behavior is working as expected.