Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fenoughty
Collaborator

URL Reputation false positive - how to 'whitelist'

Jump to solution

Hi,

We have an issue with the URL reputation engine creating a false positive and I cannot find a way to whitelist this to stop it happening. This is going to keep happening because it is the URL in the company's bank's email disclaimer (Barclays).

URL Reputation is classifying the url as malicious, I think becuase it has a full stop and then speech marks after it (and no space before th '.' It looks like this http://publicresearch.barclays.com."

I have run the actual URL through VirusTotal and it is coming up as clean - it would be helpful if Check Point had something I could run it through to check against ThreatCloud - I think I read that something is being considered in that area.

Anyway, the real issue here is that I need to be able to do is find a way to stop the URL Reputation check from marking these emails as malicious.

Any ideas?

Thanks,

John

0 Kudos
1 Solution

Accepted Solutions
Igor_Freidin
Employee
Employee

It's now possible to add domain's URL detected by Check Point URL reputation to 'Allow-list Domains'. This will prevent  engine from sending everything from that domain for Check Point reputation cloud analysis.  Open Event itself, click 'Allow-list Domains' and tick the checkbox near the domain name, click 'Update Domains' to apply.

To remove the domain from Allowed domain list, un-tick the checkbox under same event

CGS URL rep domain allow list.png

CGS URL rep domain allow list _2.png

 

 

 

View solution in original post

7 Replies
Abigael_Saal_Le
Employee
Employee

Hello John,

There is currently no way to whitelist a URL locally, in your CloudGuard SaaS portal. While we are planning on adding this feature, I do not have an ETA for release at this time.  However, I checked this URL against our URL reputation service and it does not seem to be black listed. There might be a bug causing this issue.

Could you please open a ticket to support to report the problem? You can find information here about how to open Service Requests in case you are not familiar with the process. It would be good to include some examples of events showing that this URL has been categorized as malicious. 

Feel free to contact me directly at abigaels@checkpoint.com in case the case is not moving forward.

 

Thanks,

Abigael Levy

 

John_Fenoughty
Collaborator
Thanks for the reply.

I have logged the call and sent all of the required screenshots and a zip an example email. It's in progress now.
0 Kudos
John_Fenoughty
Collaborator

This as resolved by TAC, R&D got involved and adjusted the engine.

The offending email had an html link in their signature/disclaimer which ended ." - the '.' actually just being a full stop at the end of the sentence. This was being seen as potentially harmful code.

These emails no longer get classified as suspicious.

Igor_Freidin
Employee
Employee

It's now possible to add domain's URL detected by Check Point URL reputation to 'Allow-list Domains'. This will prevent  engine from sending everything from that domain for Check Point reputation cloud analysis.  Open Event itself, click 'Allow-list Domains' and tick the checkbox near the domain name, click 'Update Domains' to apply.

To remove the domain from Allowed domain list, un-tick the checkbox under same event

CGS URL rep domain allow list.png

CGS URL rep domain allow list _2.png

 

 

 

View solution in original post

John_Fenoughty
Collaborator

@Igor_Freidin ,

That's really good to hear, thank you. I am such a big fan of this product and how well it does its job - it's great to know these little extras (or some not so little) are all being worked on to make this product the very best of breed!

Do you happen to know what will happen if we whitelist a domain in this way but then an email comes 'forged' from this domain with say a bad SPF record? Would this whitelist method override that or do we check that the domain is genuine *before* parsing the whitelist?

Igor_Freidin
Employee
Employee

Adding domain to Allowed domain list the way described will result in not sending email from that domain to Check Point URL reputation engine, the second Anti-Phishing engine will still perform the SPF check

0 Kudos
C-3PO
Participant

👍

0 Kudos