Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unable to block activeX D/L

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Unable to block activeX D/L Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unable to block activeX D/L - 13.Jan.2005 7:03:00 AM   
dinodod

 

Posts: 100
Joined: 1.Oct.2004
Status: offline 		"[Eek!]"

Ok, I thought I could but it turns out I can't seem to block a simple CAB file from this one site (now I have to scour my logs for other instances)

Live365's player from: http://www.live365.c om/cgi-bin/mini.cgi?stream=1274984&genre=&url=http%3A//www.live365.com/cgi-bin/mini.cgi%3Fstream%3D1274984%26genre%3D&tm=1105595177968

In the logs I see the file as a .cab and I have the .cab filter in place to be blocked but it is getting past that rule and being allowed. Can anyone inform me what I need to filter to actually block this from getting installed?

I'm running ISA 2004 Standard in Single NIC mode but that should be ok...

Here is my content filter:

<?xml version="1.0" encoding="UTF-8"?>
<fpc4:Root xmlns:fpc4="http://schemas.microsoft.com/isa/config-4" xmlns:dt="urn:schemas-microsoft-com:datatypes" StorageName="FPC" StorageType="0">
<fpc4:Build dt:dt="string">4.0.2161.50</fpc4:Build>
<fpc4:Comment dt:dt="string"/>
<fpc4:Edition dt:dt="int">80</fpc4:Edition>
<fpc4:ExportItemClassCLSID dt:dt="string">{B79B86B7-0B14-46C5-BF4F-C76A63E28582}</fpc4:ExportItemClassCLSID>
<fpc4:ExportItemStorageName dt:dt="string">{C65F0133-7738-4121-B3AE-45A19B4A5B91}</fpc4:ExportItemStorageName>
<fpc4:IsaXmlVersion dt:dt="string">1.0</fpc4:IsaXmlVersion>
<fpc4:OptionalData dt:dt="int">4</fpc4:OptionalData>
<fpc4:Upgrade dt:dt="boolean">0</fpc4:Upgrade>
<fpc4:Arrays StorageName="Arrays" StorageType="0">
<fpc4:Array StorageName="{21D72885-111F-443B-8285-95E62E3AD819}" StorageType="0">
<fpc4:Components dt:dt="int">-1</fpc4:Components>
<fpc4:Name dt:dt="string"/>
<fpc4:RuleElements StorageName="RuleElements" StorageType="0">
<fpc4:ContentTypeSets StorageName="ContentTypeSets" StorageType="0">
<fpc4:ContentTypeSet StorageName="{C65F0133-7738-4121-B3AE-45A19B4A5B91}" StorageType="1">
<fpc4:ContentStrings>
<fpc4:Str dt:dt="string">application/cab</fpc4:Str>
<fpc4:Str dt:dt="string">application/fractals</fpc4:Str>
<fpc4:Str dt:dt="string">application/hta</fpc4:Str>
<fpc4:Str dt:dt="string">application/internet-property-stream</fpc4:Str>
<fpc4:Str dt:dt="string">application/mac-binhex40</fpc4:Str>
<fpc4:Str dt:dt="string">application/octet-stream</fpc4:Str>
<fpc4:Str dt:dt="string">application/oda</fpc4:Str>
<fpc4:Str dt:dt="string">application/oleobject</fpc4:Str>
<fpc4:Str dt:dt="string">application/olescript</fpc4:Str>
<fpc4:Str dt:dt="string">application/pics-rules</fpc4:Str>
<fpc4:Str dt:dt="string">application/pkcs10</fpc4:Str>
<fpc4:Str dt:dt="string">application/pkcs7-mime</fpc4:Str>
<fpc4:Str dt:dt="string">application/pkcs7-signature</fpc4:Str>
<fpc4:Str dt:dt="string">application/pkix-crl</fpc4:Str>
<fpc4:Str dt:dt="string">application/set-payment-initiation</fpc4:Str>
<fpc4:Str dt:dt="string">application/set-registration-initiation</fpc4:Str>
<fpc4:Str dt:dt="string">application/vndms-pkicertstore</fpc4:Str>
<fpc4:Str dt:dt="string">application/vndms-pkipko</fpc4:Str>
<fpc4:Str dt:dt="string">application/vndms-pkiseccat</fpc4:Str>
<fpc4:Str dt:dt="string">application/vndms-pkistl</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-bcpio</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-cdf</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-compress</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-compressed</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-cpio</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-csh</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-dvi</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-hdf</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-internet-signup</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-iphone</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-latex</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-msdownload</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-msmediaview</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-mspublisher</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-msschedule</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-netcdf</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-pkcs12</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-pkcs7-certificates</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-pkcs7-certreqresp</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-sh</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-shar</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-stuffit</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-sv4cpio</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-sv4crc</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-tcl</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-tex</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-texinfo</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-troff</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-troff-man</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-troff-me</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-troff-ms</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-ustar</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-wais-source</fpc4:Str>
<fpc4:Str dt:dt="string">application/x-x509-ca-cert</fpc4:Str>
<fpc4:Str dt:dt="string">text/scriptlet</fpc4:Str>
<fpc4:Str dt:dt="string">zz-application/zz-winassoc-cab</fpc4:Str>
<fpc4:Str dt:dt="string">.acx</fpc4:Str>
<fpc4:Str dt:dt="string">.axs</fpc4:Str>
<fpc4:Str dt:dt="string">.bcpio</fpc4:Str>
<fpc4:Str dt:dt="string">.bin</fpc4:Str>
<fpc4:Str dt:dt="string">.cab</fpc4:Str>
<fpc4:Str dt:dt="string">.cat</fpc4:Str>
<fpc4:Str dt:dt="string">.cdf</fpc4:Str>
<fpc4:Str dt:dt="string">.cer</fpc4:Str>
<fpc4:Str dt:dt="string">.cpio</fpc4:Str>
<fpc4:Str dt:dt="string">.crl</fpc4:Str>
<fpc4:Str dt:dt="string">.crt</fpc4:Str>
<fpc4:Str dt:dt="string">.csh</fpc4:Str>
<fpc4:Str dt:dt="string">.dcr</fpc4:Str>
<fpc4:Str dt:dt="string">.der</fpc4:Str>
<fpc4:Str dt:dt="string">.dir</fpc4:Str>
<fpc4:Str dt:dt="string">.dll</fpc4:Str>
<fpc4:Str dt:dt="string">.dvi</fpc4:Str>
<fpc4:Str dt:dt="string">.dxr</fpc4:Str>
<fpc4:Str dt:dt="string">.evy</fpc4:Str>
<fpc4:Str dt:dt="string">.exe</fpc4:Str>
<fpc4:Str dt:dt="string">.fif</fpc4:Str>
<fpc4:Str dt:dt="string">.hdf</fpc4:Str>
<fpc4:Str dt:dt="string">.hqx</fpc4:Str>
<fpc4:Str dt:dt="string">.hta</fpc4:Str>
<fpc4:Str dt:dt="string">.iii</fpc4:Str>
<fpc4:Str dt:dt="string">.ins</fpc4:Str>
<fpc4:Str dt:dt="string">.isp</fpc4:Str>
<fpc4:Str dt:dt="string">.latex</fpc4:Str>
<fpc4:Str dt:dt="string">.m13</fpc4:Str>
<fpc4:Str dt:dt="string">.m14</fpc4:Str>
<fpc4:Str dt:dt="string">.man</fpc4:Str>
<fpc4:Str dt:dt="string">.me</fpc4:Str>
<fpc4:Str dt:dt="string">.ms</fpc4:Str>
<fpc4:Str dt:dt="string">.msi</fpc4:Str>
<fpc4:Str dt:dt="string">.mvb</fpc4:Str>
<fpc4:Str dt:dt="string">.nc</fpc4:Str>
<fpc4:Str dt:dt="string">.oda</fpc4:Str>
<fpc4:Str dt:dt="string">.ods</fpc4:Str>
<fpc4:Str dt:dt="string">.p10</fpc4:Str>
<fpc4:Str dt:dt="string">.p12</fpc4:Str>
<fpc4:Str dt:dt="string">.p7b</fpc4:Str>
<fpc4:Str dt:dt="string">.p7c</fpc4:Str>
<fpc4:Str dt:dt="string">.p7m</fpc4:Str>
<fpc4:Str dt:dt="string">.p7r</fpc4:Str>
<fpc4:Str dt:dt="string">.p7s</fpc4:Str>
<fpc4:Str dt:dt="string">.pfx</fpc4:Str>
<fpc4:Str dt:dt="string">.pko</fpc4:Str>
<fpc4:Str dt:dt="string">.prf</fpc4:Str>
<fpc4:Str dt:dt="string">.pub</fpc4:Str>
<fpc4:Str dt:dt="string">.roff</fpc4:Str>
<fpc4:Str dt:dt="string">.scd</fpc4:Str>
<fpc4:Str dt:dt="string">.sct</fpc4:Str>
<fpc4:Str dt:dt="string">.setpay</fpc4:Str>
<fpc4:Str dt:dt="string">.setreg</fpc4:Str>
<fpc4:Str dt:dt="string">.sh</fpc4:Str>
<fpc4:Str dt:dt="string">.shar</fpc4:Str>
<fpc4:Str dt:dt="string">.sit</fpc4:Str>
<fpc4:Str dt:dt="string">.spc</fpc4:Str>
<fpc4:Str dt:dt="string">.spl</fpc4:Str>
<fpc4:Str dt:dt="string">.src</fpc4:Str>
<fpc4:Str dt:dt="string">.sst</fpc4:Str>
<fpc4:Str dt:dt="string">.stl</fpc4:Str>
<fpc4:Str dt:dt="string">.sv4cpio</fpc4:Str>
<fpc4:Str dt:dt="string">.sv4crc</fpc4:Str>
<fpc4:Str dt:dt="string">.t</fpc4:Str>
<fpc4:Str dt:dt="string">.tcl</fpc4:Str>
<fpc4:Str dt:dt="string">.tex</fpc4:Str>
<fpc4:Str dt:dt="string">.texi</fpc4:Str>
<fpc4:Str dt:dt="string">.texinfo</fpc4:Str>
<fpc4:Str dt:dt="string">.tr</fpc4:Str>
<fpc4:Str dt:dt="string">.ustar</fpc4:Str>
<fpc4:Str dt:dt="string">.vbs</fpc4:Str>
</fpc4:ContentStrings>
<fpc4:Name dt:dt="string">EXEs & MSIs</fpc4:Name>
</fpc4:ContentTypeSet>
</fpc4:ContentTypeSets>
</fpc4:RuleElements>
</fpc4:Array>
</fpc4:Arrays>
</fpc4:Root>
Post #: 1
RE: Unable to block activeX D/L - 14.Jan.2005 11:53:00 AM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		I don't see anything in the URL that indicates that a .cab file is being downloaded. Is something missing from the URL?

thanks!
Tom

(in reply to dinodod)
Post #: 2
RE: Unable to block activeX D/L - 14.Jan.2005 7:21:00 PM   
dinodod

 

Posts: 100
Joined: 1.Oct.2004
Status: offline 		Only when I clicked on teh link to actually start teh install process did I see the cab file being mentioned in my ISA log.

http://www.live365.com/players/play365.cab
The mime typre reports it as a text/plain; charset=ISO-8859-1?

While I could filter the URL, it won't prevent other sites from skipping the rules. Any thoughts?

(in reply to dinodod)
Post #: 3
RE: Unable to block activeX D/L - 17.Jan.2005 7:47:00 PM   
dinodod

 

Posts: 100
Joined: 1.Oct.2004
Status: offline 		[Eek!] [Confused]

It's confirmed. I am seeing logs that users are d/l .cab files from various sites such as macromedia Flash and Apple QTime. What can I add to filter out .cab ext.?

http://a1540.g.akamai.net/7/1540/52/20031027/qtinstall.info.apple.com/qtactivex/qtplugin.cab
http://download.windowsupdate.com/msdownload/update/v5/redir/wuredir.cab?0501121625
http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
http://qtinstall.apple.com/qtactivex/qtplugin.cab
http://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab

(in reply to dinodod)
Post #: 4
RE: Unable to block activeX D/L - 20.Jan.2005 9:59:00 PM   
dinodod

 

Posts: 100
Joined: 1.Oct.2004
Status: offline 		Any thoughts?

(in reply to dinodod)
Post #: 5
RE: Unable to block activeX D/L - 25.Jan.2005 2:24:00 PM   
dinodod

 

Posts: 100
Joined: 1.Oct.2004
Status: offline 		Anyone?

(in reply to dinodod)
Post #: 6
RE: Unable to block activeX D/L - 25.May2005 10:15:00 AM   
lhamstra

 

Posts: 19
Joined: 20.Jun.2002
Status: offline 		We have the same problem!
DOies anyone have an answer to this
We blocked .cab and mime type text/plain.
It works for some .cab files, but also blocks wanted traffic.

(in reply to dinodod)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Unable to block activeX D/L Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts