topic Re: best way to block new zip domain in Firewall and Security Management

best way to block new zip domain

emiliano_mastro — Fri, 02 Jun 2023 07:06:18 GMT

hi guys,
I have read about a new phishing technique called "file archiver in the browser" can be leveraged to "emulate" a file archiver software in a web browser when a victim visits a .ZIP domain, so I would like block any sites of the .zip domain on my R81.10 firewall.

What is the best way to do that without taking a lot of resources of the firewall?

I was thinking using "custom application site" without regex *.zip

On my firewall I have all capabilities enabled (url filtering, and application control, https inspection).

thanks a lot

Re: best way to block new zip domain

PSushko — Fri, 02 Jun 2023 13:23:19 GMT

Personally, I was hoping I could do it with a simple *.zip in a custom application, but that ended up matching regular zip file downloads, and even googling of the string ".zip". I then tried with a much more complex regex: /^(?:(?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)+(zip|mov)$/ (without the /, simply used those to delimit the regex in this comment).

But policy fails to push with this regex. It might be too complex for CheckPoint. I have a ticket open, I'll keep you updated on the results.

Re: best way to block new zip domain

the_rock — Fri, 02 Jun 2023 13:54:03 GMT

Thats exactly how I blocked it in my R81.20 lab with https inspection enabled and once tested, it was indeed blocked fine. Not sure if there is more 'official" way of doing it though : - )

Andy

Re: best way to block new zip domain

PSushko — Fri, 02 Jun 2023 14:26:58 GMT

On R80.40 setting up a custom application/site with "*.zip" non-regex expression with HTTPS inspection enabled hits on every request that has .zip in it (i.e.: test.zip {good}, test.com/test.zip {bad}, test.com/test?q=test.zip {bad}).

Re: best way to block new zip domain

the_rock — Fri, 02 Jun 2023 18:47:33 GMT

I believe ya, as I only tested on R81.20, so its most likely different.

Andy

Re: best way to block new zip domain

Bob_Zimmerman — Fri, 02 Jun 2023 20:39:19 GMT

I recently explored the Custom Application/Site expression matching pretty extensively and arrived at this set of expressions. Later in the thread (currently the bottom-most post), I also described my findings after enabling HTTPS Inspection.

Re: best way to block new zip domain

emiliano_mastro — Mon, 05 Jun 2023 09:54:25 GMT

Hi,

I have just tried, on R81.10, an Application/Site rule *.zip (no regex), but unfortunately it doesn't work well because it blocks even zip files

Re: best way to block new zip domain

the_rock — Mon, 05 Jun 2023 11:03:14 GMT

I will try later today with R81.10, but logically, unless you have content awareness blade enabled to block.zip extension, app control/urlf should not block it.

Andy

Re: best way to block new zip domain

Bob_Zimmerman — Mon, 05 Jun 2023 13:39:06 GMT

Put a slash after it, as I described in the most recent post in the thread I linked.

*.zip/

Re: best way to block new zip domain

PSushko — Mon, 05 Jun 2023 14:57:16 GMT

This works for me!

Re: best way to block new zip domain

the_rock — Mon, 05 Jun 2023 15:10:05 GMT

I tested it exactly way you described and was fine, even in R81.10. But. as @Bob_Zimmerman advised, if it works with /, then use that.

Andy

Re: best way to block new zip domain

emiliano_mastro — Mon, 05 Jun 2023 15:33:22 GMT

Yessss, adding the slash (*.zip/) it works well !!!

thanks a lot

Re: best way to block new zip domain

Yuber_Sierra_av — Mon, 05 Jun 2023 15:35:10 GMT

I found the following regex in another topic, and worked for me:

Just replace TLD with a domain you want to match.

^[^:\/]+:\/?\/?[^\/]+\.TLD\/

Regex for TLD Blocks - Check Point CheckMates

Re: best way to block new zip domain

Bob_Zimmerman — Mon, 05 Jun 2023 16:08:29 GMT

That's a lot messier than it needs to be. Almost none of the backslashes are needed. It also matches exactly one subdomain. www.somesite.tld would not be matched. Here's a better version, which is basically what I wrote in the linked post:

^[^:]+?://([^/]+?\.)+TLD/

It matches the scheme non-greedily, which will be faster in almost all cases. It removes the optionality for the slashes in the :// separator between the scheme and the domain, since they are always present in the input space. Finally, it requires one subdomain but matches any number.