Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
148
Views
0
Helpful
6
Replies

Block executable files included in Office documents (Cisco WSA)

REJR77
Level 1
Level 1

‎04-02-2025 10:16 AM

Dear community,

I would like to know if on a Web Security Appliance On Prem it is possible to block executable file included in pdf or docx files?

I can block exe downlaod, but looks that when the exe is included users can download them!

Thank you

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎04-02-2025 11:36 PM

Yes, it is possible to block, depending on your policies and the version of WSA code you are running.

Check example mime types :

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118486-technote-wsa-00.html#reference

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

REJR77
Level 1
Level 1

‎04-03-2025 04:40 AM

Hello Balaji,

Are you sure?

From my point of view the MIME type of the Word Document with exe included in it will remain the same.

 

0 Helpful

Ken Stieers
VIP
VIP
In response to REJR77

‎04-03-2025 04:56 AM

Word/PPT files get unzipped and the pieces checked too, so mime type checking ought to catch what is embedded in them.
0 Helpful

REJR77
Level 1
Level 1
In response to Ken Stieers

‎04-03-2025 05:04 AM

Hello Ken,

Ok the WSA is able to detect "multilple" MIME type in a single file? 

So I would just need to check for the MIME type like: application/octet-stream

0 Helpful

Ken Stieers
VIP
VIP
In response to REJR77

‎04-03-2025 06:00 AM

It should.
Also application/vnd.microsoft.portable-executable
(that last one is newish, but IANA has it listed.)
Octet-steam is pretty generic, so keep an eye on what else gets caught...


0 Helpful

amojarra
Cisco Employee
Cisco Employee

‎04-07-2025 05:47 AM

@REJR77 

You can put [MIME = %c] in the accesslogs custom fields to see the MIME type detected by WSA

you can use this guide to edit the Custom Fields in the AccessLogs:

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance-virtual/220456-configure-performance-parameter-in-acces.html

 

Kindly make sure WSA is decrypting the traffic first.  

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
0 Helpful
Customers Also Viewed These Support Documents