Issue/Introduction:
When a ThreatPulse (Cloud) Web Security Service policy rule is set to Block the Executables File Type, the policy blocks a PDF file, yet another PDF file is accessible.
This article describe the methods used to determine Executables and why the PDF is blocked.
Cause:
These following are the guidelines that the Web Security Service uses to determine Executables (this is not an exhaustive list).
- HTTP response headers (application/octet-stream can cause false-positives)
- HTTP file extensions
- Magic bytes
- Content dispositions
- Others
The following CPL summarizes an object represented as Executables, but not limited to:
define condition Object_RepresentedAs_Executable
; Test URL extension
url.extension=(exe,com,cab,ocx,dll,msi)
; Test for content-type headers
response.header.Content-Type="application/cab"
response.header.Content-Type="application/octet-stream"
response.header.Content-Type="application/x-msdownload"
response.header.Content-Type="application/x-msdos-program"
; Test for content-disposition (how to save) headers
response.x_header.Content-Disposition = "\.(exe|com|cab|ocx|dll|msi)($|[^a-z0-9])"
end
NOTE: Blocking by file extension and its MIME type is not currently possible.
This Executable rule blocks the PDF because the content was delivered with the content-type as application/octect-stream.
https://bto.bluecoat.com/documentation/download/1287
- bto.bluecoat.com serves the file as Application/Octect-Stream, which tells the browser it might contain executable content even if it delivers .pdf file.
- It is just another way to deliver content. In this case, it’s likely used to prompt the Save As dialog instead of displaying the PDF inside the browser.
The below .pdf download links are downloadable.
The content-type here is application/pdf. Notice that they display inside the web browser rather than prompt with Save As dialog.
Resolution:
This behavior is working as expected.