Allow Rule / Action does not whitelist an Archive File


  • Description
    An "Allow" rule of archive files (by file extension or true content type for example) does not white list an archive file and the rest of the policy's rules below it will be implemented on this archive file.

  • Symptoms

    The following example illustrates the symptoms:

    In a customized policy, define an allow rule for archive files (e.g. Zip files) by file extension or true content type for example.

    Locate this rule high up (i.e., with high priority) within the security policy.



    Try to browse to an archive file containing executable files inside it - the file will be blocked.


  • Cause

    If an item is a container that is not a cab or jar, the file extension rule will apply to the archive itself, but then the whole policy will be applied to each item inside the archive.




  • Solution

    There is a possible workaround for this issue:

    1. Create an Allow rule:
      A.   In the "Static Content List" field check on the "Malicious Objects List".
      B.   Check on the "Everything except for the items selected below":

    If you don't want to whitelist embedded archive files within this rule:

    1. Select True Content Type and check Embedded Archives.
    2. Next, check the “except for the items selected below.”

    NOTE: This workaround will no longer work from 8.4.3 with M08 hot-fix installed and above hot-fixes.

    For 8.4.3-M08 and above, please apply the following solution:

    1. Add / move up the "Allow Trusted Sites" rule to the top of your security policy.
      This rule should be defined as follows:
      User Response Action = Allow.
      URL Lists = Trusted Sites.
    2. Add your desired URL to the Lists -> URL Lists -> Trusted Sites.
    3. Apply & commit changes.
  • Software Version
    8.3.x
    8.4.x

  • This article applies to:
    NG 1000
    NG 5000
    NG 8000
    This article was previously published as:
    Finjan KB 1164

    Last Modified 3/23/2009.
    https://support.trustwave.com/kb/KnowledgebaseArticle13121.aspx