Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stuart_Green
Collaborator

Zero Phishing Exceptions

Hi,

Is it possible to configure exceptions for Zero Phishing?

This scenario exists where a customer doesn't want the Zero Phishing browser plugin to prompt for internal websites - i.e. ones behind their firewall on internal servers.

Yes, I get that this introduces the scenario where they could be redirected to an external site masquerading as an internal site but asking the question anyway...

 

TIA

9 Replies
PhoneBoy
Admin
Admin

Do you have the relevant domain configured here?

Screen Shot 2019-04-02 at 3.23.24 PM.png

Stuart_Green
Collaborator

Hmmm, no, that didn’t suggest an exclusion.

So if a domain/IP address is entered in that box, the zero phishing browser plugin won’t scan it?

If so, rather than “Protected” should it not say “Excluded”?

PhoneBoy
Admin
Admin

I'm not 100% sure it's an exclusion, but it makes sense you'd want to configure this option anyway.
Specifically, it's to make sure users are NOT using their corporate credentials on an external site.
When credentials are entered on an internal site, the domains of which are configured here, a hash of the password is stored.
If that password is used on an external site, then the user is alerted.
0 Kudos
David_Levine
Contributor

Per the documentation for the Zero Phishing functionality:

Protected Domains - Add domains for which Password Reuse Protection is enforced.
SandBlast Agent keeps a cryptographic secure hash of the passwords used in these domains
and compares them to passwords entered outside of the protected domains

So, this dialog box is definitely about corporate password reuse, and is not about exclusions.

The SBA TE blade does have an exclusion configuration option... by default it is set to "Inspect all domains and files", but there is a dialog box to add exclusions there. I am not sure if these exclusions would be used by the browser extension / Zero Phishing feature though... 

I did just have a Business Dev Director approach me and say that this was a problem for him as he was demoing websites for prospective customers and the "Scanning..." thing that Zero Phishing does on web forms "...did not look good...". <sigh>

Hopefully the exclusion setting will apply to the Zero Phishing feature, or I may need to add policy to disable this for a group of users / computers.

Untitled.png

 

 

 

Capture3.PNG

Christopher_To
Collaborator

Has this been confirmed?  Does adding the domain in this exclusions list apply to the Zero Phishing/Password Reuse feature?

 

Talya_Ariel
Employee
Employee

Hi,

The answer is yes.

How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality:

Suppose you want to exclude "gmail.com" and all its sub domains:
in the smart endpoint server, go to the policy tab, and edit the “Inspect all domains and files” option:

1.png

2.png

    Add “.gmail.com” as excluded domain.

  1. Install policy, make sure your VM agent got the updated policy.
  2. From task manager – close all chrome\IE processes
  3. Start again chrome\IE browser
  • Verify that the correct “protected domain” was configured:
  • Note that the domain has to be the same one that the login form is submitted to. Some customers might have the login form in an iframe from a different domain than the one in the address bar.
  • When defining a domain for exclusion\protection, you should only consider the domain portion of the URL (shown in bold): https://www.checkpoint.com:8080/path/to/page
    A domain will be classified as excluded\protected, if any entry in the exclusion list is a suffix of it.
    For example, if the exclusion list contains the entry .checkpoint.com, then www.checkpoint.com will be excluded.
    The exclusion list may also contain a regular expressions.
    Such regular expression must span the whole string.
    For example: .*\.checkpoint\.co\..*
    will match: www.checkpoint.co.uk

           www.checkpoint.co.il

           mail.checkpoint.co.uk

           mail.checkpoint.co.il etc.
           The most common use is to exclude a domain and its sub domains,
            
example : in order to excluded checkpoint.com and all its sub domains,
             the user should insert: .checkpoint.com

  • Make sure you login to the protected domain after the policy on the client was  updated with the protected domains list
    make sure the excluded domain is updated in the excluded_domains entry in the registry.
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\<Extension ID>\policy\
    e.g.
     
  • Make sure you have waited for 10 minutes after the policy was sent to the host, to verify the extension loaded the configuration properly.

Please note, 'Protected domains' defines the domains that will be protected by password reuse.

For more information please see our troubleshooting wiki page- https://wiki.checkpoint.com/confluence/pages/viewpage.action?spaceKey=PRODUCTINFO&title=SBA4B+Troubl...

Thanks,

Talya Ariel
Software Engineer

brian_hunter
Explorer

Hey Team, 

 

Not to bump an old thread but can I confirm the exception will work properly for an IP as well? 

I see an IP range option in the "protected domains" area, but not the "inspect all sites" exception area. Will a regex matching the range I want to exclude work here?

0 Kudos
Talya_Ariel
Employee
Employee

Hi,

 

Please see the answers to your questions in our SBA4B troubleshooting wiki page:

https://wiki.checkpoint.com/confluence/pages/viewpage.action?title=SBA4B+Troubleshooting&spaceKey=PR...

under the tab 'FAQ- Zero Phishing and General', question #4.

Thanks,

Talya Ariel

Software Engineer

 

0 Kudos
PhoneBoy
Admin
Admin

As the public does not have access to our internal wiki, I'll copy/paste the instructions here.

4A. Q: How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?
(for excluding IPs, please also refer to question 4B)

A: Suppose you want to exclude "gmail.com" and all its sub domains:
in the smart endpoint server, go to the policy tab, and edit the “Inspect all domains and files” option:

image2017-10-25 17_27_26.png

   Add “.gmail.com” as excluded domain.

  1. Install policy, make sure your VM agent got the updated policy.
  2. From task manager – close all chrome\IE processes
  3. Start again chrome\IE browser
  • Verify that the correct “protected domain” was configured:
  • Note that the domain has to be the same one that the login form is submitted to. Some customers might have the login form in an iframe from a different domain than the one in the address bar.
  • When defining a domain for exclusion\protection, you should only consider the domain portion of the URL (shown in bold): https://www.checkpoint.com:8080/path/to/page
    A domain will be classified as excluded\protected, if any entry in the exclusion list is a suffix of it.
    For example, if the exclusion list contains the entry .checkpoint.com, then www.checkpoint.com will be excluded.
    The exclusion list may also contain a regular expressions.
    Such regular expression must span the whole string.
    For example: .*\.checkpoint\.co\..*
    will match: www.checkpoint.co.uk

           www.checkpoint.co.il

           mail.checkpoint.co.uk

           mail.checkpoint.co.il etc.
           The most common use is to exclude a domain and its sub domains,
            
example : in order to excluded checkpoint.com and all its sub domains,
             the user should insert: .checkpoint.com

  • Make sure you login to the protected domain after the policy on the client was  updated with the protected domains list
    make sure the excluded domain is updated in the excluded_domains entry in the registry.
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\<Extension ID>\policy\
    e.g.

     

  • Make sure you have waited for 10 minutes after the policy was sent to the host, to verify the extension loaded the configuration properly.

4B. Q: How to exclude an IP from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?

A: Exclusion rules for IPs are written in CIDR notation. You can follow the following examples:

rule
what will be excluded?
192.168.10.12/32 exclude the IP 192.168.10.12
192.168.10.12/24 exclude the class C network 192.168.10.*
192.168.10.12/16 exclude the class B network 192.168.*
192.168.10.12/8 exclude the class A network 192.*

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events