Re: Exe file blocking using custom IPS Signature
IMHO IPS is the wrong tool for this. Use Data Leak Prevention (DLP) instead.
Instead of the default application of preventing data transfer from inside to outside, you can use it to prevent transfers in the opposite direction as well. For this, use it in the policy from LAN to WAN (as download sessions are initiated from the LAN).
First, enable DLP menu item in System>Features.
Then create a DLP sensor, containing a DLP filter (the concept is similar to IPS).
I was happy to see that the DLP can scan data and detect file types instead of looking at the file name/extension only. So I created a filter to block "Executable (exe)" and "Windows Installer Package (msi)".
This works for *.msi files. You can check the correct detection in the logs.
for executables, the file type is detected as "Unknown", and thus transfers are not blocked.
If I add a filename pattern of "*.exe", transfers are blocked. But we all agree that this can be circumvented too easily.
All of this in v6.0.6. Maybe one of you has got an idea why this important file type is not detected.
Ede " Kernel panic: Aiee, killing interrupt handler!"