Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hosemacht
Contributor II

Created on ‎05-10-2017 07:51 AM

Block Javascript in ZIP Archives ?

Hi all,

 

I've got a Fortigate 200E Cluster running with FortiOS 5.4.4.

I was trying to block Javascript files that are contained in Zip Archives

but i dont want to block all Javascript or all Zip Archives.

 

Is it possible to block those files only in this particular condition?

 

The background:  a flood of Emails with links to such files and if a user opens the zip and launches the js it triggers a download

of an disguised maleware witch will be renamed by the script to an *.exe file and then be executed.

 

pretty hard to detect

 

Please help

 

Regards,

the giraffe that wasnt president

sudo apt-get-rekt

sudo apt-get-rekt
4534
0 Kudos
3 REPLIES 3
Carl_Wallmark
Valued Contributor

Created on ‎05-12-2017 11:30 PM

Hi,

 

I have also been looking for this, and it might be possible with an IPS signature, but I dont think there is a way in DLP.

 

While I´m searching I have turned off the possibility to run .js files on our computers via "Software Restrictions" in Group Policy Management.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
1412
0 Kudos
Hosemacht
Contributor II
In response to Carl_Wallmark

Created on ‎05-15-2017 08:17 AM

Hi,

 

unfortunately you are right there is no way in dlp to solve this.

it would be very appreciated if fortinet would make an "and"/"or" rule to combine the filters in the sensor.

 

your "work around" does it very well and it doesnt affect the .js files that are executed in the browser what i was afraid of.

 

thanks for you comment and for the hint .

 

Regards

the giraffe that wasnt president

 

sudo apt-get-rekt

sudo apt-get-rekt
1412
0 Kudos
Carl_Wallmark
Valued Contributor
In response to Hosemacht

Created on ‎05-15-2017 08:30 AM

no problem ;)

 

You can also do the same for .vbs but make sure no software is using it, then you need to do an exception.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
1412
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.