RE: [squid-users] Re: block spyware with squid

Sure it's easy when you block by rep_mime_type application/octet-stream

Then you're not blocking by a file extension. I would never think of "blocking" by file extension. Too many ways around it. We've seen programs that will take an executable and convert to either an html file or a php. The aforementioned method blocks these and many other executable methods.

Try it, you'll like it.

Thomas J. Raef
e-Based Security, LLC
www.ebasedsecurity.com
1-866-838-6108
"You're either hardened, or you're hacked!"

> -----Original Message-----
> From: Leonardo Rodrigues Magalhães [mailto:leolistas@solutti.com.br]
> Sent: Thursday, October 25, 2007 1:12 PM
> To: Thomas Raef; Squid Users
> Subject: Re: [squid-users] Re: block spyware with squid
>
>
> Once i tried that and had LOTS of false-positives with Windows CGI
> based applications, just like:
>
> http://www.something.com/myscript.exe?value=blabla ....
>
> myscript.exe is not a downloadable file, it's a script that will be
> executed and return HTML code to the browser.
>
> And there's all those URLs that will reply with a executable
> download but has no .exe on the URL ...
>
> It's a simple idea, but not as easy to implement as it seems.
>
>
> Thomas Raef escreveu:
> > Why not block all executables except from a list of whitelisted sites?
> >
> > Allow windowsupdates.com, Microsoft.com, adobe.com,...
> >
> > That negates the need for signature based detection.
> >
>
> --
>
>
> Atenciosamente / Sincerily,
> Leonardo Rodrigues
> Solutti Tecnologia
> http://www.solutti.com.br
>
> Minha armadilha de SPAM, NÃO mandem email
> gertrudes@solutti.com.br
> My SPAMTRAP, do not email it
>
>
>
Received on Thu Oct 25 2007 - 12:56:35 MDT