topic Have you grepped the access in Web Security

WSA Ironport allow exe downloads from specific URL's (WSUS Server)

scott.walker1 — Mon, 22 Feb 2016 14:05:17 GMT

Good Morning guys,

I have a task to allow the WSUS Server the ability to download .exe files from the windowsupdate sites etc...

So far i have

1) Created a new Access Policy

2) Specified the relevant account to from the Identity (still using authentication)

3) Removed Object Blocking from the Access Policy

Everything else uses the global setting such as malware and user agents, at this stage.

However as stated i need to find away of only allowing .exe downloads from a url list therefore blocking .exe's from elsewhere for this account. Is this possible? and if so any pointers as im now struggling.

Have you grepped the access

Ken Stieers — Mon, 22 Feb 2016 15:44:53 GMT

Have you grepped the access log then clicked Sync Now in WSUS to see what's going on?

SSH to the WSA and

wsav1> grep to the WSA

wsav1> grep

.
39. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll
40. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll
41. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval: FTP
Poll
Enter the number of the log you wish to grep.

[]> 1 <enter>

Enter the regular expression to grep.
[]> <ip address of wsus box> <enter>

Do you want this search to be case insensitive? [Y]> <enter>

Do you want to search for non-matching lines? [N]> <enter>

Do you want to tail the logs? [N]> Y <enter>

Do you want to paginate the output? [N]> <enter>

Press Ctrl-C to stop.

That may tell you what's going on.

I know that at one point, I had to add one Microsoft's intermediate certificates to the WSA as the logs showed untrusted root cert issues.

We also ended up marking all of the Windows Store and Windows update sites to not be decrypted... (put them in a custom category, and set them as passthrough in the decryption policy.)

Hi,

scott.walker1 — Mon, 22 Feb 2016 15:53:25 GMT

Hi,

Yes we have done a grep and a also the reporting from GUI.

They are being blocked due to Object blocking and file types. i.e. we block .exe in the global policy.

I can create a new access policy to allow the user account or machine to download different object types, however I need to only allow .exe downloads from a defined domain. so Microsoft url can download .exe whilst blocking .exe downloads from other locations.

The other workaround is to

Handy Putra — Wed, 24 Feb 2016 00:54:13 GMT

The other workaround is to create a custom URL category for Microsoft .exe download while still blocking other .exe object in that policy.

1. create custom URL category and put the microsoft download URL in the 'sites' box and under Regular Expressions box put expression such as \.exe

2. Include that custom URL category to your access policy

3. Set that custom URL category to "Allow" (do not set it to "Monitor" since it will be scanned with the object scanning that you have set to block all .exe extension file)