I noticed some users were viewing movies or receiving radio via internet. I checked isa log and see they were using wmplayer.exe. How can I setup a rule to disable / reject wmplayer.exe? And alos I setup a rule to reject all outbound traffic with content type = audio and video. Is this a good way or will it cause a lot inconvenience to good users? Any suggestion is greatly appreciated.
From: Taylorville, IL
Pretty much impossible. "Audio and Video" is only classified as such when it is "streamed" with streaming protocols,...but having a link on web page to a AVI, MPG, or a WMV file is not "streaming", therefore is not classigied as "Audio / Video",...it is just a link to a file,..it could just as easily been a PDF file. How does it open in the WMP? or the Acrobate Reader?...well that only happens after the download has finished when Windows opens the file based on the File Associations in Windows,...so the WMP playing the file or the Adobe Reader opening the file never happens "over the internet", it is happening locally on the machine only.
The best you can do is to try to block by the type "audio /video" as you are doing and also try to block by file types,...and use signatures. It takes all the methods combined and still may not work 100%.