| Microsoft Internet Security and Acceleration Server 2000 |
The ExeBlock sample filter demonstrates the use of data filters and hooking into the Firewall service thread pool. The filter hooks into FTP control channel (TCP port 21). The data filter (CEBFTPDataFilter) records PORT and PASV commands, and calls the IFWXSession::SetDataFilterFactory method.
When a new secondary connection is made, or accepted, the COM object ClassFactory creates a data filter (CEBScannerDataFilter) to be attached by the Firewall service. The filter scans the incoming file.
This sample blocks all executable files (any file that begins with MZ or ZM) unless a protocol rule is defined that allows a specific user to receive executable files. The user must be defined by an Internet Protocol (IP) address in the case of a SecureNAT client, and by user name in the case of a Firewall client.
The protocol rule must be added to the Protocol Rules in the ISA console.
The scanner data filter creates a temporary file, and downloads the whole file. It then scans the file, and if the file passes, it is transferred to the internal client.
Limitations:
The ExeBlock sample uses the following methods:
IFWXConnection::AttachDataFilter
IFWXExternalIOCompletion::CompleteAsyncIO
IFWXIOBuffer::GetBufferAndSize
IFWXIOCompletion::CompleteAsyncIO
IFWXOverlapped::SetNotificationInterface
IFWXSession::SetDataFilterFactory
IFWXSessionFilter::FirewallEventHandler
IFWXFilterAdmin::InstallFilter
IFWXFilterAdmin::RegisterProtocolForFilter
IFWXFilterAdmin::UninstallFilter
IFWXFirewall::CreateConstBuffer
IFWXFirewall::CreateOverlapped
IFWXFirewall::DuplicateFilterHookEvents
IFWXFirewall::HookToCompletionPort