This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stuart_Green
Collaborator
‎2019-04-02 08:24 AM

Zero Phishing Exceptions

Hi,

Is it possible to configure exceptions for Zero Phishing?

This scenario exists where a customer doesn't want the Zero Phishing browser plugin to prompt for internal websites - i.e. ones behind their firewall on internal servers.

Yes, I get that this introduces the scenario where they could be redirected to an external site masquerading as an internal site but asking the question anyway...

 

TIA

9 Replies
PhoneBoy
Admin
Admin
‎2019-04-02 03:24 PM

Do you have the relevant domain configured here?

Screen Shot 2019-04-02 at 3.23.24 PM.png

Stuart_Green
Collaborator
‎2019-04-02 03:46 PM
In response to PhoneBoy

Hmmm, no, that didn’t suggest an exclusion.

So if a domain/IP address is entered in that box, the zero phishing browser plugin won’t scan it?

If so, rather than “Protected” should it not say “Excluded”?

PhoneBoy
Admin
Admin
‎2019-04-02 04:46 PM
In response to Stuart_Green

I'm not 100% sure it's an exclusion, but it makes sense you'd want to configure this option anyway.
Specifically, it's to make sure users are NOT using their corporate credentials on an external site.
When credentials are entered on an internal site, the domains of which are configured here, a hash of the password is stored.
If that password is used on an external site, then the user is alerted.
0 Kudos
David_Levine
Contributor
‎2019-05-24 09:58 AM
In response to PhoneBoy

Per the documentation for the Zero Phishing functionality:

Protected Domains - Add domains for which Password Reuse Protection is enforced.
SandBlast Agent keeps a cryptographic secure hash of the passwords used in these domains
and compares them to passwords entered outside of the protected domains

So, this dialog box is definitely about corporate password reuse, and is not about exclusions.

The SBA TE blade does have an exclusion configuration option... by default it is set to "Inspect all domains and files", but there is a dialog box to add exclusions there. I am not sure if these exclusions would be used by the browser extension / Zero Phishing feature though... 

I did just have a Business Dev Director approach me and say that this was a problem for him as he was demoing websites for prospective customers and the "Scanning..." thing that Zero Phishing does on web forms "...did not look good...". <sigh>

Hopefully the exclusion setting will apply to the Zero Phishing feature, or I may need to add policy to disable this for a group of users / computers.

Untitled.png

 

 

 

Capture3.PNG

Christopher_To
Collaborator
‎2020-01-24 08:01 AM
In response to David_Levine

Has this been confirmed?  Does adding the domain in this exclusions list apply to the Zero Phishing/Password Reuse feature?

 

Talya_Ariel
Employee
Employee
‎2020-01-26 03:09 AM
In response to Christopher_To

Hi,

The answer is yes.

How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality:

Suppose you want to exclude "gmail.com" and all its sub domains:
in the smart endpoint server, go to the policy tab, and edit the “Inspect all domains and files” option:

1.png

2.png

    Add “.gmail.com” as excluded domain.

  1. Install policy, make sure your VM agent got the updated policy.
  2. From task manager – close all chrome\IE processes
  3. Start again chrome\IE browser
  • Verify that the correct “protected domain” was configured:
  • Note that the domain has to be the same one that the login form is submitted to. Some customers might have the login form in an iframe from a different domain than the one in the address bar.
  • When defining a domain for exclusion\protection, you should only consider the domain portion of the URL (shown in bold): https://www.checkpoint.com:8080/path/to/page
    A domain will be classified as excluded\protected, if any entry in the exclusion list is a suffix of it.
    For example, if the exclusion list contains the entry .checkpoint.com, then www.checkpoint.com will be excluded.
    The exclusion list may also contain a regular expressions.
    Such regular expression must span the whole string.
    For example: .*\.checkpoint\.co\..*
    will match: www.checkpoint.co.uk

           www.checkpoint.co.il

           mail.checkpoint.co.uk

           mail.checkpoint.co.il etc.
           The most common use is to exclude a domain and its sub domains,
            example : in order to excluded checkpoint.com and all its sub domains,
             the user should insert: .checkpoint.com

  • Make sure you login to the protected domain after the policy on the client was  updated with the protected domains list
    make sure the excluded domain is updated in the excluded_domains entry in the registry.
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\<Extension ID>\policy\
    e.g.
     
  • Make sure you have waited for 10 minutes after the policy was sent to the host, to verify the extension loaded the configuration properly.

Please note, 'Protected domains' defines the domains that will be protected by password reuse.

For more information please see our troubleshooting wiki page- https://wiki.checkpoint.com/confluence/pages/viewpage.action?spaceKey=PRODUCTINFO&title=SBA4B+Troubl...

Thanks,

Talya Ariel
Software Engineer

brian_hunter
Explorer
‎2020-01-28 07:28 PM
In response to Talya_Ariel

Hey Team, 

 

Not to bump an old thread but can I confirm the exception will work properly for an IP as well? 

I see an IP range option in the "protected domains" area, but not the "inspect all sites" exception area. Will a regex matching the range I want to exclude work here?

0 Kudos
Talya_Ariel
Employee
Employee
‎2020-01-29 10:10 PM
In response to brian_hunter

Hi,

 

Please see the answers to your questions in our SBA4B troubleshooting wiki page:

https://wiki.checkpoint.com/confluence/pages/viewpage.action?title=SBA4B+Troubleshooting&spaceKey=PR...

under the tab 'FAQ- Zero Phishing and General', question #4.

Thanks,

Talya Ariel

Software Engineer

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-30 07:36 AM
In response to Talya_Ariel

As the public does not have access to our internal wiki, I'll copy/paste the instructions here.

4A. Q: How to exclude a domain from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?
(for excluding IPs, please also refer to question 4B)

A: Suppose you want to exclude "gmail.com" and all its sub domains:
in the smart endpoint server, go to the policy tab, and edit the “Inspect all domains and files” option:

image2017-10-25 17_27_26.png

   Add “.gmail.com” as excluded domain.

  1. Install policy, make sure your VM agent got the updated policy.
  2. From task manager – close all chrome\IE processes
  3. Start again chrome\IE browser
  • Verify that the correct “protected domain” was configured:
  • Note that the domain has to be the same one that the login form is submitted to. Some customers might have the login form in an iframe from a different domain than the one in the address bar.
  • When defining a domain for exclusion\protection, you should only consider the domain portion of the URL (shown in bold): https://www.checkpoint.com:8080/path/to/page
    A domain will be classified as excluded\protected, if any entry in the exclusion list is a suffix of it.
    For example, if the exclusion list contains the entry .checkpoint.com, then www.checkpoint.com will be excluded.
    The exclusion list may also contain a regular expressions.
    Such regular expression must span the whole string.
    For example: .*\.checkpoint\.co\..*
    will match: www.checkpoint.co.uk

           www.checkpoint.co.il

           mail.checkpoint.co.uk

           mail.checkpoint.co.il etc.
           The most common use is to exclude a domain and its sub domains,
            example : in order to excluded checkpoint.com and all its sub domains,
             the user should insert: .checkpoint.com

  • Make sure you login to the protected domain after the policy on the client was  updated with the protected domains list
    make sure the excluded domain is updated in the excluded_domains entry in the registry.
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\<Extension ID>\policy\
    e.g.

     

  • Make sure you have waited for 10 minutes after the policy was sent to the host, to verify the extension loaded the configuration properly.

4B. Q: How to exclude an IP from "Zero Phishing", "Password Reuse" or "File Download Protection" (TE/TEX) functionality?

A: Exclusion rules for IPs are written in CIDR notation. You can follow the following examples:

rule
what will be excluded?
192.168.10.12/32 exclude the IP 192.168.10.12
192.168.10.12/24 exclude the class C network 192.168.10.*
192.168.10.12/16 exclude the class B network 192.168.*
192.168.10.12/8 exclude the class A network 192.*

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events