Standard file-blocking policies may fail when an executable file is embedded within a container like a PDF or a ZIP archive. This happens because the Edge SWG identifies the outer container, like the PDF or the ZIP, bypasses the initial check while the inner content is the executable file. To block these effectively, both the Content Analysis and Edge SWG must be configured to communicate and act on the "apparent" data type.

Content Analysis (CAS) and Edge SWG (Proxy)

Stage 1: Enable Content Analysis Internal Inspection 
1. Navigate to Content Analysis Web UI > Services > AV File Types

2. Add .exe in the List files extensions to block" field (Use a comma as the delimiter to separate file types. i.e.: .jse,.vb)

3. Check the box "Apply Global Options before sending to Antivirus Engines"

4. Check Application (.exe) to block 

5. Click Save Changes

Stage 2: Force Enforcement on Edge SWG
If the issue persists after Stage 1, the Edge SWG requires a specific rule to "Force Deny" based on the headers CAS sends back. Without this, the Proxy may still allow the file because the external extension, like the PDF or ZIP file, satisfies the initial policy.

1. Add the following CPL rules under the Edge SWG Management Console > Visual Policy Manager > Add Layer > CPL Layer.

;; Set ICAP service to fail closed to ensure security
<Cache>
    response.icap_service(<icap_service_name>, fail_closed)

;; Force Deny if CAS identifies the inner or apparent data type as executable
<Proxy>
    response.icap.apparent_data_type=(executable) FORCE_DENY

Note: Replace <icap_service_name> with the actual name of your ICAP service (e.g., CAS1).

2. Apply Policy and OK