When a ThreatPulse (Cloud) Web Security Service policy rule is set to Block the
Executables File Type, the policy blocks a PDF file, yet another PDF file is accessible.
This article describe the methods used to determine Executables and why the PDF is blocked.
These following are the guidelines that the Web Security Service uses to determine Executables (this is not an exhaustive list).
HTTP response headers (application/octet-stream can cause false-positives)
HTTP file extensions
The following CPL summarizes an object represented as Executables, but not limited to:
define condition Object_RepresentedAs_Executable ; Test URL extension url.extension=(exe,com,cab,ocx,dll,msi) ; Test for content-type headers response.header.Content-Type="application/cab" response.header.Content-Type="application/octet-stream" response.header.Content-Type="application/x-msdownload" response.header.Content-Type="application/x-msdos-program" ; Test for content-disposition (how to save) headers response.x_header.Content-Disposition = "\.(exe|com|cab|ocx|dll|msi)($|[^a-z0-9])" end
NOTE: Blocking by
file extension and its
MIME type is not currently possible.
This Executable rule blocks the PDF because the content was delivered with the content-type as