Enabling File Type Control is always a good idea if your employees like installing new programs from unknown sources. However, in this particular case I wanted to show my neighbor how Zscaler works and how I can prevent my son from downloading executable files. This should be straightforward right? At least, it should be.
I configured the policy quickly (block .exe and .msi) and wanted to show how brilliant it is and when you want to show something quickly of course you don’t have any good examples in your head: what could you possibly download? But not the ex-network engineer that I am. I have a perfect file that I used to download all the time: I can always download Putty right?
So I went to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html and tried downloading the 64bit .exe file … and I was able to download it just fine. Oops. Not exactly how it should go right? There must be something wrong with my policy right? But it’s as simple as can be: block all .exe and .msi files for any user.
Now, I’m an engineer with many years of experience in the field so I don’t give up easily but I must say I was a bit puzzled. Let’s approach this one methodically, I thought:
– I checked documentation: no other requirements than SSL inspection
– SSL inspection is on, and in Web Insights I can see that for this file download the SSL inspection was a YES.
It was time for radical ideas. It must be a software bug right? Let’s upgrade ZCC from latest 4.8 to latest 4.9. In hindsight: not the best idea, I wasted quite a lot of time and finally downgraded again to 4.8. A blind alley.
Can you already guess what I did wrong here? No? Let’s continue, then.
As I’d run out of ideas at that point, it was time to talk to people who know more: the support team. At the same time I raised a support ticket. It’s kind of desperate to raise a support ticket at a company you work for but desperate times call for desperate measures.
After I’d wasted 3 hours on all that, I finally thought: ok let’s at least try downloading something else, like VLC. It was blocked. Winrar? blocked. Termius? blocked. Any other .exe? blocked.
Then i tried downloading a 32bit version of Putty. Blocked as well. It turned out that the first thing that came to my mind (64bit versions of Putty) were the only .exe and .msi files that won’t work with Zscaler File Type Control. Absolutely unreal.
This story will continue because I worked this one out later after a Red Bull. It seems to be a bug (“malformed” magic bytes are not recognized as such).
My name is Tomek De Wille. Welcome to my blog about Zscaler 