(Cloud) A PDF file is blocked as an Executables.
Article ID: 168921
Updated On:
Products
Web Security Service - WSS
Issue/Introduction
When a ThreatPulse (Cloud) Web Security Service policy rule is set to Block the Executables File Type, the policy blocks a PDF file, yet another PDF file is accessible.
This article describe the methods used to determine Executables and why the PDF is blocked.
This article describe the methods used to determine Executables and why the PDF is blocked.
Cause
These following are the guidelines that the Web Security Service uses to determine Executables (this is not an exhaustive list).
NOTE: Blocking by file extension and its MIME type is not currently possible.
This Executable rule blocks the PDF because the content was delivered with the content-type as application/octect-stream.
- HTTP response headers (application/octet-stream can cause false-positives)
- HTTP file extensions
- Magic bytes
- Content dispositions
- Others
define condition Object_RepresentedAs_Executable
; Test URL extension
url.extension=(exe,com,cab,ocx,dll,msi)
; Test for content-type headers
response.header.Content-Type="application/cab"
response.header.Content-Type="application/octet-stream"
response.header.Content-Type="application/x-msdownload"
response.header.Content-Type="application/x-msdos-program"
; Test for content-disposition (how to save) headers
response.x_header.Content-Disposition = "\.(exe|com|cab|ocx|dll|msi)($|[^a-z0-9])"
end
; Test URL extension
url.extension=(exe,com,cab,ocx,dll,msi)
; Test for content-type headers
response.header.Content-Type="application/cab"
response.header.Content-Type="application/octet-stream"
response.header.Content-Type="application/x-msdownload"
response.header.Content-Type="application/x-msdos-program"
; Test for content-disposition (how to save) headers
response.x_header.Content-Disposition = "\.(exe|com|cab|ocx|dll|msi)($|[^a-z0-9])"
end
NOTE: Blocking by file extension and its MIME type is not currently possible.
This Executable rule blocks the PDF because the content was delivered with the content-type as application/octect-stream.
https://bto.bluecoat.com/documentation/download/1287
- bto.bluecoat.com serves the file as Application/Octect-Stream, which tells the browser it might contain executable content even if it delivers .pdf file.
- It is just another way to deliver content. In this case, it’s likely used to prompt the Save As dialog instead of displaying the PDF inside the browser.
The below .pdf download links are downloadable.
- https://bto.bluecoat.com/sites/default/files/tech_pubs/SGOS6.2.xAdminGuide.pdf
-
https://bto.bluecoat.com/sites/default/files/tech_pubs/Blue_Coat_Sky_6.2.x_Release_Notes.pdf
The content-type here is application/pdf. Notice that they display inside the web browser rather than prompt with Save As dialog.
Resolution
This behavior is working as expected.
Feedback
Yes
No
Powered by
