CAS is still serving the archived file even though the file extension is being blocked.
Article ID: 250340
Updated On:
Products
Issue/Introduction
On CAS, the setting to block a file extension like EXE is enabled as shown below:
The affected file is an archived file.
The CAS device also have the File Reputation Service enabled.
When download an archived file that contains an EXE files, client able to be download the file. The expected behavior is that the file supposed to be blocked.
Cause
The scanning flow of the file would need to go through File Reputation Service first before it goes to the AV scanning.
The AV scanning able to uncompressed the archived file in order to scan the content.
The File Reputation Service (FRS) will score the file and the next action would depend on the score.
If the FRS score is "Trusted", the archived file will not go further scanning and will be served to the user directly.
If the FRS score is "Unknown", then only the archived file will be forwarded to the AV scanning and CAS able to detect the EXE file in the archived file.
So in this case, the archived file had an FRS score of "Trusted", the file was served to the user directly without going further scanning to the AV, thus the archived file was not been uncompressed and CAS unable to detect the EXE file in the archived file.
If it's not an archived file, like maybe just a file with an EXE extension, CAS able to detect and block it according to the CAS blocking settings even though the FRS score is "Trusted".
Resolution
The behaviour seeing is by design and the only option to make sure that the archived file is getting block according to the block settings, FRS need to be disabled.
Feedback
