Block Executable File Download in SWA
Available Languages
Introduction
This document describes the process of configuring Secure Web Appliance (SWA) to block downloading executable files.
Prerequisites
Requirements
Cisco recommends knowledge of these topics:
- Access ToGraphic User Interface (GUI)of SWA
- Administrative Access to the SWA.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Before you Begin
Cisco SWA can effectively block the download of executable files by inspecting the (Multipurpose Internet Mail Extensions) MIME type of web content. By identifying file types such as application/x-msdownload, application/x-msi and other related MIME types, SWA enforces policies that prevent executable from being delivered to users. In addition to MIME type detection, SWA can leverage file extension filtering, reputation-based analysis, and custom policy rules to further strengthen protection against unwanted or risky downloads. These capabilities help organizations maintain a secure browsing environment and reduce the risk of malware infections.
application/octet-stream is a generic MIME type used to indicate that a file contains binary data. It does not specify the nature of the file, so it can be used for any file that does not fit a more specific MIME type. This type is commonly assigned to executable files, installers, and other non-text files when the web server cannot determine a more precise type.
Configuration Steps
|
Step 1.Create a Custom URL Category for the website. |
Step 1.1.From the GUI Navigate toWeb Security Manager and chooseCustom and External URL Categories. Step 1.2.ClickAdd Category to create a new Custom URL Category. Step 1.3.EnterNamefor the new category. Step 1.4.Define the domain and/or subdomains of the website that you are trying to block upload traffic (In this example is cisco.local and all its subdomains). Step 1.5.Submitthe changes.
|
|
Step 2.Decrypt the traffic for the URL |
Step 2.1. From the GUI, Navigate toWeb Security Manager and chooseDecryption Policies Step 2.2.Click Add Policy. Step 2.3.EnterName for the new policy. Step 2.4.(Optional) Select theIdentification Profile that you need this policy applies to. Step 2.5.FromPolicy Member Definition section, Click URL Categorieslinks to add the Custom URL Category. Step 2.6.Select the URL Category that was created inStep 1. Step 2.7.ClickSubmit.  Image - Create a Decryption PolicyStep 2.8.InDecryption Policies page, click the link fromURL Filtering for the new policy.
Step 2.9.ChooseDecrypt as the action for Custom URL Category. Step 2.10.ClickSubmit.  Image - Set Decrypt as Action
|
|
Step 3.Block the Executable Files |
Step 3.1.From the GUI, Navigate toWeb Security Manager and chooseAccess Policies. Step 3.2.ClickAdd Policy. Step 3.3.EnterName for the new policy. Step 3.4.(Optional) Select theIdentification Profile that you need this policy applies to. Step 3.5.FromPolicy Member Definition section, Click URL Categories links to add the Custom URL Category. Step 3.6.Select the URL Category that was created inStep 1. Step 3.7.ClickSubmit.  Image - Access PolicyStep 3.8.InAccess Policies page, make sure theURL Filtering action is set to Monitor. Step 3.9. InAccess Policies page, click the link from Objects for the new policy.  Image - Select the ObjectsImage - Select the URL Filtering Step 3.10. From the drop down menu choose Define Custom Objects Blocking Settings.
Step 3.11.ClickExecutable Code to select the types of Objects you want to block. Step 3.12.Click Installers to select the types of Objects you want to block. Step 3.13. Additionally you can enter the MIME types of the files you want to block in the Custom MIME Types section.  Image - Configuring Objects to Block
Step 3.14.Submit. Step 3.15.Commit changes. |
Validation of File Extension Blocking
In this example, when a user tries to download an executable file, this warning page is displayed:
Image - Blocking Notification Page
From the access logs, you can see two log lines related to the traffic.
The first log line is related to the Decryption Policy (Name: DecryptingTraffic) that is decrypting the Traffic. The action is DECRYPT_CUSTOMCAT
The second Access Log line is related to the Access Policy (Name: Block_Exec) that we created in Step.3. The action is BLOCK_ADMIN_FILE_TYPE
| Policy | Access Log |
|
Decryption Policy |
1772186569.823 182 10.48.48.192 TCP_MISS_SSL/200 39 CONNECT tunnel://amojarra.cisco.local:443/ - DIRECT/amojarra.cisco.local - DECRYPT_CUSTOMCAT_7-DecryptingTraffic-DefaultGroup-NONE-NONE-NONE-LAB_Access-NONE <"C_Cate",-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"-",-,"-","-","-","-","-","-","-",1.71,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - - |
|
Access Policy |
1772186576.735 2242 10.48.48.192 TCP_DENIED_SSL/403 0 GET https://amojarra.cisco.local:443/1mb.exe - DIRECT/amojarra.cisco.local application/x-msdos-program BLOCK_ADMIN_FILE_TYPE_12-Block_Exec-DefaultGroup-NONE-NONE-NONE-LAB_Access-NONE <"C_Cate",ns,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,"nc",-,"-","-","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",-,"-",-,-,"-","-",-,-,"-",-,-> - - |
Related Information
- User Guide for AsyncOS 15.2 for Cisco Secure Web Appliance
- Cisco Secure Email and Web Virtual Appliance Installation Guide
- Configure Custom URL Categories in Secure Web Appliance - Cisco
-
Configure SCP Push Logs in Secure Web Appliance with Microsoft Server
-
Enable Specific YouTube Channel/Video and Block Rest of YouTube in SWA
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
27-Feb-2026
|
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)