We often need to use QQ and WeChat to communicate and send screenshots in our work, but the convenient outgoing file function of QQ and WeChat brings challenges to enterprise information security. Many users inquired how to block the outgoing file function of QQ and WeChat while retaining the screenshot function. So our technicians have done targeted tests specifically.
In this article, I will introduce how to use the WSG hardware gateway (WFilter NGF) to block QQ and WeChat outgoing files, while retaining the screenshot function.
Communication protocol analysis
First of all, the screenshots and files sent by QQ and WeChat follow the same data channel. It cannot be distinguished by IP address, communication port, and protocol characteristics. Here we want to use a special feature of WSG behavior management: shielding suspected file upload function. As shown below:
Characteristic analysis of sending pictures and sending files on QQ and WeChat
According to our test, we need to pay attention to the following points:
1. When QQ uploads files, it will use fragmented transmission, each fragment is about 512K bytes.
2. When taking QQ screenshots, the image file size is between tens and 300K.
3. When taking a screenshot on WeChat, the image file size is between 100K-300K.
4. The data size of pictures sent by QQ is about half of WeChat.
Therefore, we recommend using intelligent filtering to prohibit suspected uploads that exceed 400KB. After testing, the effect can be achieved. This option cannot be higher than 500K, otherwise the QQ file will be transmitted in pieces.
Effect test
The specific test results are as follows:
