This might seem like a silly (or nefarious) question at first glance, but allow me to elaborate...
We have implemented all sorts of measures on the company network and proxy to prevent the download of certain file types on to company machines. Most files, even zip files with exe's inside get blocked when clicking to download those files.
But some "enterprising" users still manage to get downloads to work. For example, I was standing behind someone (who didn't know me or which department I worked in), who in front of our eyes changed a URL that ended with ".exe" to ".exe?", and the browser went right ahead and downloaded the "unknown" file type. We've since then plugged this hole, but I'd like to know if anyone else knows of any nefarious means of downloading files bypassing network security and checking software.
Or perhaps if you know of some commercial software that you can swear is bulletproof, and we can trial it for a while.
Any help appreciated...
Regardless of what technical solution you come up with, someone will find a way around it. If you're serious about this (and not just doing it to discourage casual downloads or fulfill some faceless policy mandate), then please, please,
Talk to your users!
Explain why you're blocking what you're blocking. Help them to understand the importance of it. And then listen to them when they tell you why they still need to download executable files, and help them find a way to do their jobs without making your job harder.
For years, one of our suppliers had a system similar to yours in place. Unfortunately, they were also responsible for providing us with regular updates to their pricing software, and during testing it was common for executables to frequently travel back and forth between our networks. Due to the filters, we all just got in the habit of renaming files (.exe -> .ear, etc.), compressing them, compressing then renaming them, even using personal machines to transfer them... not only subverting the restrictions and amplifying the potential danger to both companies, but also destroying much of our respect for those behind the restrictions.
Finally, someone got the message and set up a secured FTP server for us to use.
It's all too common to focus on the technical side of things, and forget about the resourceful humans who must deal with the consequences of them. Naturally, if you're already doing this, then more power to you!
Simplest way if you have appropriate access in the outside world: encrypt the file, download it, decrypt it. You may need to change the file extension to something the scanner won't recognise, but basically the content will be "unscannable" assuming you use a reasonable encryption.
Heck, just a password protected zip file might work - if they're not explicitly blocked.
If you go for only allowing content that you understand and approve of, that may well be more effective - and also more painful for all concerned, due to false positives.
Change the file extension to .pdf. From what i have seen most checkers will assume that is is a pdf (since pdfs are binary files) and let it through.
So it is pretty easy for a [smart] user to setup and use an external proxy. Install something like Proxifier and Http-Tunnel Client and you're good to go. The free proxy servers are slow, but an annual subscription is pretty cheap and gets good performance. This solution effectively creates a private, encrypted, unsecured tunnel through your HTTP channel and there's not a lot you can do about it.
You might be going at this the wrong way. Windows Active Directory will allow you to set a policy to block specific executable files or, more practically, only allow certain executable files to run. You have to spend a bit of time making sure that all your applications are in the exceptions list, but then you can simply stop every other executable being run.
I know a top of the line web filtering solution like Websense can do this. You can set a filter extension up and since it's capable of doing regex, you can stop those simple little tricks.
However, where there's a will, there's a way. So you'll need to have a strong Internet usage policy with teeth that the management chain actually backs and enforces and you'll need to mine the results of your web filtering to see if anyone is figuring out other ways of bypassing your chosen solution.
Another way is via passive FTP. Most networks allow all outbound connections to leave the firewall from inside and return. Regular FTP will use one connection port and then one data transport port which is easy to block on a firewall because the second data port is initiated on the outside. Passive FTP however, initiates the data transfer port from the inside pc, which is allowed under most default firewall configurations...at least in the Cisco world.
You may be able to boot from a LiveCD and use wget to download files that are blocked by client-side Windows measures. If the files are still blocked by the network then you may be able to start a VPN tunnel to another machine and download them through that.