Enforcement based on file analysis
If user traffic passes through Content Gateway or the hybrid service, requested files are analyzed to define their type when all of the following are true:
- A user requests a URL in a permitted category.
- File type blocking is enabled for the category in the active category filter.
- There is no file extension match in a blocked file type (see Enforcement based on file extension).
In this case, the file type returned for policy enforcement describes the purpose or behavior of similar files, independent of extension. So attempts to disguise an executable by giving it a “.txt” or other innocuous file extension are prevented by file type analysis.
File type definitions are maintained in the analytics databases, and may be changed as part of the Content Gateway database or hybrid service update process.
The file types identified by file analysis are:
| File Type | Description |
|---|---|
| Compressed files | Files that have been packaged to take up less space, like ZIP, RAR, or JAR archives. |
| Documents | Binary document formats, like DOCX or PDF. |
| Executables | Programs that can be run on your machine, like EXE or BAT files. |
| Images | Picture formats, like JPG, BMP, and GIF. |
| Multimedia | Audiovisual formats, like MP3, WMV, and MOV. |
| Rich Internet Applications | Web applications that run in a browser, like Flash. |
| Text |
Unformatted textual material, like HTML and TXT files. |
| Threats |
Malicious applications that could harm your machine or network, like spyware, worms, or viruses. |
When a user requests a website, on-premises or hybrid components first determine the site category, and then check for blocked file types (first by extension, then by analysis).
If compressed files are permitted, when a compressed file is selected for download, its contents are analyzed. Policy enforcement is then based on the file type assigned to the content of the compressed archive. For example, if compressed files are permitted, but executable files are blocked, when a user attempts to download a compressed file, the contained files are analyzed. If the compressed file contains an executable file, the download is blocked based on the executable file type. Or if the compressed file contains a file that is determined to be malicious, the download is blocked. Note, however, that if a custom file type is part of the compressed file, the download is not blocked, even if the custom tile type should be blocked. Custom file types are restricted to extension-based enforcement.
Analysis of compressed files is not supported for files identified as self-extracting archives.
In addition, the .xz file format is not supported for compressed file analysis.
When a user tries to access a blocked file type, the Reason field on the block page indicates that the file type was blocked (see Block Page Management).
The standard block page is not displayed if a blocked image comprises just a portion of a permitted page. Instead, the image region appears blank. This avoids the possibility of displaying a small portion of a block page in multiple locations on an otherwise permitted page.
To view existing file extensions in a file type, edit file types, or create custom file types for enforcement by extension, go to , and then click File Types. See Working with file type definitions for more information.
To enable file type blocking, see Enabling file type blocking in a category filter.