This article explains the underlying logic of the "Detect Generic Executables" policy condition in Symantec Cloud SWG. It clarifies how the feature uses a multi-layered approach combining file extensions, HTTP headers, and true content inspection to serve as a comprehensive, standalone blocking rule for executable content without the need to manually specify file extensions.

The "Detect Generic Executables" condition does not rely on a single identification method. Instead, it utilizes a highly robust, multi-layered approach. The Cloud SWG will flag a file as a generic executable if any of the following conditions are met during the file transfer:

1. Predefined List of Executable Extensions
   
   It looks for a comprehensive list of known executable and script file extensions in the URL. If the URL ends with any of the following, it triggers the executable condition:

   Standard Binaries & Libraries: .exe, .com, .dll, .scr

   Scripts & Batch Files: .bat, .cmd, .vbs, .vb, .wsc, .wsh, .wsf

   Installers: .msi

   Java Executables: .class, .jar

   System/Utility Files: .pif, .hlp, .hta, .chm, .ani, .cur, .reg, .wmf
   
   

2. HTTP Header Inspection (MIME Type and Content-Disposition)
   
   Even if the file extension does not match the list above, the condition inspects the HTTP response headers provided by the web server. It will flag the file if:

   The Content-Type header indicates an executable payload (e.g., application/octet-stream, application/x-msdownload, application/x-msdos-program).

   The Content-Disposition header instructs the browser to download the file with an executable name or extension (e.g., instructing the browser to save the file as a .exe).
   
   

3. Content Inspection (Apparent Data Type / File Signatures)
   
   To prevent security evasion techniques, such as an attacker renaming a malicious executable to invoice.pdf or image.jpg, the engine inspects the actual binary payload (True File Type). It intercepts the HTTP response and examines the first few bytes (magic bytes) of the file:

   If the binary structure starts with known executable signatures, such as the hex values for "MZ" (the universal signature for DOS/Windows executables), it is immediately categorized as an executable.

   This occurs regardless of the file's extension or the server's claimed MIME type.