topic Re: Zero Phishing Exceptions in Endpoint

Zero Phishing Exceptions

Stuart_Green — Tue, 02 Apr 2019 15:24:13 GMT

Hi,

Is it possible to configure exceptions for Zero Phishing?

This scenario exists where a customer doesn't want the Zero Phishing browser plugin to prompt for internal websites - i.e. ones behind their firewall on internal servers.

Yes, I get that this introduces the scenario where they could be redirected to an external site masquerading as an internal site but asking the question anyway...

TIA

Re: Zero Phishing Exceptions

PhoneBoy — Tue, 02 Apr 2019 22:24:22 GMT

Do you have the relevant domain configured here?

Re: Zero Phishing Exceptions

Stuart_Green — Tue, 02 Apr 2019 22:46:53 GMT

Hmmm, no, that didn’t suggest an exclusion.

So if a domain/IP address is entered in that box, the zero phishing browser plugin won’t scan it?

If so, rather than “Protected” should it not say “Excluded”?

Re: Zero Phishing Exceptions

PhoneBoy — Tue, 02 Apr 2019 23:46:18 GMT

I'm not 100% sure it's an exclusion, but it makes sense you'd want to configure this option anyway.
Specifically, it's to make sure users are NOT using their corporate credentials on an external site.
When credentials are entered on an internal site, the domains of which are configured here, a hash of the password is stored.
If that password is used on an external site, then the user is alerted.

Re: Zero Phishing Exceptions

David_Levine — Fri, 24 May 2019 16:58:36 GMT

Per the documentation for the Zero Phishing functionality:

Protected Domains - Add domains for which Password Reuse Protection is enforced.
SandBlast Agent keeps a cryptographic secure hash of the passwords used in these domains
and compares them to passwords entered outside of the protected domains

So, this dialog box is definitely about corporate password reuse, and is not about exclusions.

The SBA TE blade does have an exclusion configuration option... by default it is set to "Inspect all domains and files", but there is a dialog box to add exclusions there. I am not sure if these exclusions would be used by the browser extension / Zero Phishing feature though...

I did just have a Business Dev Director approach me and say that this was a problem for him as he was demoing websites for prospective customers and the "Scanning..." thing that Zero Phishing does on web forms "...did not look good...". <sigh>

Hopefully the exclusion setting will apply to the Zero Phishing feature, or I may need to add policy to disable this for a group of users / computers.

Re: Zero Phishing Exceptions

Christopher_To — Fri, 24 Jan 2020 16:01:01 GMT

Has this been confirmed? Does adding the domain in this exclusions list apply to the Zero Phishing/Password Reuse feature?

Re: Zero Phishing Exceptions

Talya_Ariel — Sun, 26 Jan 2020 11:09:30 GMT

Hi,

The answer is yes.

How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality:

Suppose you want to exclude "gmail.com" and all its sub domains:
in the smart endpoint server, go to the policy tab, and edit the “Inspect all domains and files” option:

Add “.gmail.com” as excluded domain.

Install policy, make sure your VM agent got the updated policy.
From task manager – close all chrome\IE processes
Start again chrome\IE browser

Verify that the correct “protected domain” was configured:
Note that the domain has to be the same one that the login form is submitted to. Some customers might have the login form in an iframe from a different domain than the one in the address bar.
When defining a domain for exclusion\protection, you should only consider the domain portion of the URL (shown in bold): https://www.checkpoint.com:8080/path/to/page
A domain will be classified as excluded\protected, if any entry in the exclusion list is a suffix of it.
For example, if the exclusion list contains the entry .checkpoint.com, then www.checkpoint.com will be excluded.
The exclusion list may also contain a regular expressions.
Such regular expression must span the whole string.
For example: .*\.checkpoint\.co\..*
will match: www.checkpoint.co.uk

www.checkpoint.co.il

mail.checkpoint.co.uk

           mail.checkpoint.co.il etc.
           The most common use is to exclude a domain and its sub domains,
            example : in order to excluded checkpoint.com and all its sub domains,
             the user should insert: .checkpoint.com

Make sure you login to the protected domain after the policy on the client was updated with the protected domains list
make sure the excluded domain is updated in the excluded_domains entry in the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\<Extension ID>\policy\
e.g.
Make sure you have waited for 10 minutes after the policy was sent to the host, to verify the extension loaded the configuration properly.

Please note, 'Protected domains' defines the domains that will be protected by password reuse.

For more information please see our troubleshooting wiki page- https://wiki.checkpoint.com/confluence/pages/viewpage.action?spaceKey=PRODUCTINFO&title=SBA4B+Troubleshooting#SBA4BLabs-1272000687

Thanks,

Talya Ariel
Software Engineer

Re: Zero Phishing Exceptions

brian_hunter — Wed, 29 Jan 2020 03:28:21 GMT

Hey Team,

Not to bump an old thread but can I confirm the exception will work properly for an IP as well?

I see an IP range option in the "protected domains" area, but not the "inspect all sites" exception area. Will a regex matching the range I want to exclude work here?

Re: Zero Phishing Exceptions

Talya_Ariel — Thu, 30 Jan 2020 06:10:18 GMT

Hi,

Please see the answers to your questions in our SBA4B troubleshooting wiki page:

https://wiki.checkpoint.com/confluence/pages/viewpage.action?title=SBA4B+Troubleshooting&spaceKey=PRODUCTINFO#SBA4BLabs--1339142783

under the tab 'FAQ- Zero Phishing and General', question #4.

Thanks,

Talya Ariel

Software Engineer

Re: Zero Phishing Exceptions

PhoneBoy — Thu, 30 Jan 2020 15:36:02 GMT

As the public does not have access to our internal wiki, I'll copy/paste the instructions here.

4A. Q: How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?
(for excluding IPs, please also refer to question 4B)

A: Suppose you want to exclude "gmail.com" and all its sub domains:
in the smart endpoint server, go to the policy tab, and edit the “Inspect all domains and files” option:

Add “.gmail.com” as excluded domain.

Install policy, make sure your VM agent got the updated policy.
From task manager – close all chrome\IE processes
Start again chrome\IE browser

Verify that the correct “protected domain” was configured:
Note that the domain has to be the same one that the login form is submitted to. Some customers might have the login form in an iframe from a different domain than the one in the address bar.
When defining a domain for exclusion\protection, you should only consider the domain portion of the URL (shown in bold): https://www.checkpoint.com:8080/path/to/page
A domain will be classified as excluded\protected, if any entry in the exclusion list is a suffix of it.
For example, if the exclusion list contains the entry .checkpoint.com, then www.checkpoint.com will be excluded.
The exclusion list may also contain a regular expressions.
Such regular expression must span the whole string.
For example: .*\.checkpoint\.co\..*
will match: www.checkpoint.co.uk

www.checkpoint.co.il

mail.checkpoint.co.uk

Make sure you login to the protected domain after the policy on the client was updated with the protected domains list
make sure the excluded domain is updated in the excluded_domains entry in the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\<Extension ID>\policy\
e.g.
Make sure you have waited for 10 minutes after the policy was sent to the host, to verify the extension loaded the configuration properly.

4B. Q: How to exclude an IP from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?

A: Exclusion rules for IPs are written in CIDR notation. You can follow the following examples:

rule	what will be excluded?
192.168.10.12/32	exclude the IP 192.168.10.12
192.168.10.12/24	exclude the class C network 192.168.10.*
192.168.10.12/16	exclude the class B network 192.168.*
192.168.10.12/8	exclude the class A network 192.*

topic Re: Zero Phishing Exceptions in Endpoint

Zero Phishing Exceptions

Re: Zero Phishing Exceptions

Re: Zero Phishing Exceptions

Re: Zero Phishing Exceptions

Re: Zero Phishing Exceptions

Re: Zero Phishing Exceptions

Re: Zero Phishing Exceptions

How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality:

Re: Zero Phishing Exceptions

Re: Zero Phishing Exceptions

Re: Zero Phishing Exceptions

4A. Q: How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?(for excluding IPs, please also refer to question 4B)

4B. Q: How to exclude an IP from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?

4A. Q: How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?
(for excluding IPs, please also refer to question 4B)