Blocking applications with custom signatures
Custom signatures can be used in application control profiles to block web traffic from specific applications, such as out of support operating systems.
In this example, a custom signature is created to detect PCs running Windows NT 6.1 operating systems, including Windows 7 and Windows Server 2008 R2. The signature is added to an application control profile and the action is set to block. The profile is then used in a firewall policy so that web traffic matching the signature is blocked. The logs generated by this example can be used to help identify other computers that need to be blocked.
To create the custom application signature:
-
Go to Security Profiles > Application Signatures and click Create New > Custom Application Signature.
-
Enter a name for the custom signature, such as block_nt_6.1.
-
Enter the Signature. In this example:
F-SBID( --attack_id 6483; --name "Windows.NT.6.1.Web.Surfing"; --default_action drop_session; --service HTTP; --protocol tcp; --app_cat 25; --flow from_client; --pattern !"FCT"; --pattern "Windows NT 6.1"; --no_case; --context header; --weight 40; )
This signature scans HTTP and HTTPS traffic that matches the pattern Windows NT 6.1 in its header. For blocking older versions of Windows, such as Windows XP, you would use the pattern Windows NT 5.1. An attack ID is automatically generated when the signature is created.
-
Click OK.
The signature is included in the Custom Application Signature section of the signature list.
To use the signature in an application control profile:
-
Go to Security Profiles > Application Control.
-
Create a new profile, or edit an existing one.
-
In the Application and Filter Overrides table, click Create New.
-
Set Type to Application and Action to Block.
-
Select the custom signature from the list, using the search feature if required, then click Add Selected.
-
Click OK.
The signature is added to the table.
-
Click OK.
To add the application control profile to a firewall policy:
-
Go to Policy & Objects > Firewall Policy.
-
Edit the policy that currently allows a connection from the internal network to the internet.
-
In the Security Profiles section, enable Application Control and select the profile.
If deep inspection is not enabled, then only HTTP traffic will be scanned. To scan HTTPS traffic, set SSL Inspection to a profile that includes deep inspection. See SSL & SSH Inspection for more information.
-
Click OK.
Results
When a PC running one of the affected operating systems tries to connect to the internet using a web browser, a replacement message is shown. For information on customizing replacement messages, see Replacement messages.
Go to Log & Report > Security Events to view the web traffic that is logged for the PC that is blocked by the application signature in the Application Control card.