In order to enhance the security of our network, I would like to prevent users from downloading certain types of files, such as executables and music. Both ISA Server and several add-ins have options for doing so, but they all seem to be based on the file's MIME type and/or extension. Unfortunately this type of file checking is extremely limited; for example, if someone renames a file 'game.exe' to 'document.pdf' and places it on a web server, a user would be able to download it, rename the downloaded copy to 'game.exe' and do all kinds of stuff with it, most of which is probably not work-related.
To prevent users from using such workarounds, I am looking for an add-in for ISA Server that is able to determine the file type based on its contents, rather than the MIME type or extension, and that allows me to choose which types of files to allow and/or which to block. GFI WebMonitor claims to be able to do exactly what I want, but after doing a simple test this claim does not seem to hold true.
Can someone tell me which ISA add-in can perform this type of content filtering, if such a piece of software exists at all? Thanks in advance.
We're using GFI WebMonitor and blocking of re-named files seems to work for us.
What is happening exactly in your case?
I took a small MP3 file, renamed it to 'test.pdf' and uploaded this file to a web server. In GFI WebMonitor, I configured Web Traffic Scanning to block MP3 audio and to allow PDF documents and scan them for viruses.
After applying the settings in WebMonitor, I am still able to download the 'test.pdf' file without any errors or warnings, where I would expect WebMonitor to recognize it as an MP3 file. Renaming the downloaded file to 'test.mp3' produces a perfectly playable piece of audio. I also noticed that I don't see the page with the progress bar WebMonitor usually produces, even though I configured antivirus scanning to show the progress to the user. Instead, the browser (IE 6.0 SP2) starts Adobe Reader immediately to open the file.
Since WebMonitor seems to do the trick for you, I will do some additional testing with other files and file types. Thanks for your reply!
It would appear that the file is not being scanned by GFI WebMonitor. Can you ensure that the website you are downloading from is not listed being excluded from scanning?
Yup, I double-checked, and the site is not excluded.
However, I did the same test I described in my reply to Antioch, using an .exe file instead, and this time the file is blocked. I haven't tested any other files yet, but my first impression is that WebMonitor's MP3 detection is not 100% reliable.