Jump to content

Using ? in URL Masks (not the single-character wildcard)


Recommended Posts

Hi,

I'm attempting to block the download of executables via ESET. One can find directions here: https://help.eset.com/ees/7/en-US/how_block_file_dwnl.html

So, say you want to block .exe files, you setup the URL mask as "*/*.exe". You need that extra "*/" in order to workaround some special domain handling behavior. This blocks any URL that ends in ".exe".

The problem I'm running in to is that the file blocking can be bypassed by simply appending a ? to the end of the link, essentially tacking on a dummy querystring. For example, "blah.com/file.exe" would be blocked. "blah.com/file.exe?test" would NOT.

One fix is to block "*/*.exe*". That works; it will block both examples above. But... it would also block "blah.com/about.exe.html".

Information on the URL mask wildcards can be found here: https://help.eset.com/ees/8/en-US/idh_dialog_epfw_url_address_list.html?idh_dialog_epfw_add_url_addr_mask.html

What I need to be able to do is escape the ? symbol, that way I could have two block rules: "*/*.exe" and "*/*.exe?*". The second rule would block any .exe file that is followed by a ?, then any other text. "blah.com/file.exe?test" would be blocked, "blah.com/file.execute.htm" would NOT.

Anyone know if this is possible? I already tried using a backslash to escape the ?, like so: "*/*.exe\?*". Didn't work.

Link to comment
Share on other sites

  • Administrators

As far as I know only asterisks are supported in the url. However, you will never be able to block download completely because files can be downloaded also if a php or cgi file is opened in a browser (e.g. httts://download.domain.com/download.php?file=123232).

Link to comment
Share on other sites

It does support the ? symbol in the URL mask; it represents any one single character. I'm just looking for a way to represent the actual question mark symbol in a URL.

It definitely won't be a surefire solution, no matter what. The "download.php?file=123232" example, though, requires the server to be delivering downloads links in that way. The ".exe?test" method, meanwhile, can be applied to any download as an override. So, being able to effectively block the user of querystrings would be great.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...