cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
148
Views
0
Helpful
6
Replies

Block executable files included in Office documents (Cisco WSA)

REJR77
Level 1
Level 1

Dear community,

I would like to know if on a Web Security Appliance On Prem it is possible to block executable file included in pdf or docx files?

I can block exe downlaod, but looks that when the exe is included users can download them!

Thank you

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

Yes, it is possible to block, depending on your policies and the version of WSA code you are running.

Check example mime types :

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118486-technote-wsa-00.html#reference

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

REJR77
Level 1
Level 1

Hello Balaji,

Are you sure?

From my point of view the MIME type of the Word Document with exe included in it will remain the same.

 

Word/PPT files get unzipped and the pieces checked too, so mime type checking ought to catch what is embedded in them.

Hello Ken,

Ok the WSA is able to detect "multilple" MIME type in a single file? 

So I would just need to check for the MIME type like: application/octet-stream

It should.
Also application/vnd.microsoft.portable-executable
(that last one is newish, but IANA has it listed.)
Octet-steam is pretty generic, so keep an eye on what else gets caught...


amojarra
Cisco Employee
Cisco Employee

@REJR77 

You can put [MIME = %c] in the accesslogs custom fields to see the MIME type detected by WSA

you can use this guide to edit the Custom Fields in the AccessLogs:

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance-virtual/220456-configure-performance-parameter-in-acces.html

 

Kindly make sure WSA is decrypting the traffic first.  

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++