TheESETer 0 Posted May 26, 2021 Share Posted May 26, 2021 Hi, I'm attempting to block the download of executables via ESET. One can find directions here: https://help.eset.com/ees/7/en-US/how_block_file_dwnl.html So, say you want to block .exe files, you setup the URL mask as "*/*.exe". You need that extra "*/" in order to workaround some special domain handling behavior. This blocks any URL that ends in ".exe". The problem I'm running in to is that the file blocking can be bypassed by simply appending a ? to the end of the link, essentially tacking on a dummy querystring. For example, "blah.com/file.exe" would be blocked. "blah.com/file.exe?test" would NOT. One fix is to block "*/*.exe*". That works; it will block both examples above. But... it would also block "blah.com/about.exe.html". Information on the URL mask wildcards can be found here: https://help.eset.com/ees/8/en-US/idh_dialog_epfw_url_address_list.html?idh_dialog_epfw_add_url_addr_mask.html What I need to be able to do is escape the ? symbol, that way I could have two block rules: "*/*.exe" and "*/*.exe?*". The second rule would block any .exe file that is followed by a ?, then any other text. "blah.com/file.exe?test" would be blocked, "blah.com/file.execute.htm" would NOT. Anyone know if this is possible? I already tried using a backslash to escape the ?, like so: "*/*.exe\?*". Didn't work. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,272 Posted May 26, 2021 Administrators Share Posted May 26, 2021 As far as I know only asterisks are supported in the url. However, you will never be able to block download completely because files can be downloaded also if a php or cgi file is opened in a browser (e.g. httts://download.domain.com/download.php?file=123232). Link to comment Share on other sites More sharing options...
TheESETer 0 Posted May 26, 2021 Author Share Posted May 26, 2021 It does support the ? symbol in the URL mask; it represents any one single character. I'm just looking for a way to represent the actual question mark symbol in a URL. It definitely won't be a surefire solution, no matter what. The "download.php?file=123232" example, though, requires the server to be delivering downloads links in that way. The ".exe?test" method, meanwhile, can be applied to any download as an override. So, being able to effectively block the user of querystrings would be great. Link to comment Share on other sites More sharing options...
Recommended Posts