How can I download an executable file inside the company network when it's been locked down?

This might seem like a silly (or nefarious) question at first glance, but allow me to elaborate...

We have implemented all sorts of measures on the company network and proxy to prevent the download of certain file types on to company machines. Most files, even zip files with exe's inside get blocked when clicking to download those files.

But some "enterprising" users still manage to get downloads to work. For example, I was standing behind someone (who didn't know me or which department I worked in), who in front of our eyes changed a URL that ended with ".exe" to ".exe?", and the browser went right ahead and downloaded the "unknown" file type. We've since then plugged this hole, but I'd like to know if anyone else knows of any nefarious means of downloading files bypassing network security and checking software.

Or perhaps if you know of some commercial software that you can swear is bulletproof, and we can trial it for a while.

Any help appreciated...

Solution 1:

Regardless of what technical solution you come up with, someone will find a way around it. If you're serious about this (and not just doing it to discourage casual downloads or fulfill some faceless policy mandate), then please, please,

Talk to your users!

Explain why you're blocking what you're blocking. Help them to understand the importance of it. And then listen to them when they tell you why they still need to download executable files, and help them find a way to do their jobs without making your job harder.

For years, one of our suppliers had a system similar to yours in place. Unfortunately, they were also responsible for providing us with regular updates to their pricing software, and during testing it was common for executables to frequently travel back and forth between our networks. Due to the filters, we all just got in the habit of renaming files (.exe -> .ear, etc.), compressing them, compressing then renaming them, even using personal machines to transfer them... not only subverting the restrictions and amplifying the potential danger to both companies, but also destroying much of our respect for those behind the restrictions.

Finally, someone got the message and set up a secured FTP server for us to use.

It's all too common to focus on the technical side of things, and forget about the resourceful humans who must deal with the consequences of them. Naturally, if you're already doing this, then more power to you!

Solution 2:

Simplest way if you have appropriate access in the outside world: encrypt the file, download it, decrypt it. You may need to change the file extension to something the scanner won't recognise, but basically the content will be "unscannable" assuming you use a reasonable encryption.

Heck, just a password protected zip file might work - if they're not explicitly blocked.

If you go for only allowing content that you understand and approve of, that may well be more effective - and also more painful for all concerned, due to false positives.

Solution 3:

Change the file extension to .pdf. From what i have seen most checkers will assume that is is a pdf (since pdfs are binary files) and let it through.

Solution 4:

So it is pretty easy for a [smart] user to setup and use an external proxy. Install something like Proxifier and Http-Tunnel Client and you're good to go. The free proxy servers are slow, but an annual subscription is pretty cheap and gets good performance. This solution effectively creates a private, encrypted, unsecured tunnel through your HTTP channel and there's not a lot you can do about it.