This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dan_Roddy
Collaborator
‎2018-06-28 08:21 AM
Jump to solution

Application blocked but where is the application?

So there is this news web site in Portland, OR called www.wweek.com (Willamette Week) and as you can see here Application Control sees this site as an application that has been categorized as high risk.  Of course, we block this application category, but is it really an application? 

Application: wweek.com

Category: High Risk

Well let me take a look at my list of 7885 applications in R80.10 manager - NO, it is not there.  OK, so that is one discrepancy, next I say 'how did they get categorized as 'High Risk'?  I go to my trusty Checkpoint categorization/url filtering web site and I find they are in News/Media.  Now I go to my blocked categories group and look there but I do not find this category in that custom group that I have blocked.  Still digging now I go to Smart Logs and apply this filter 'app_category:"News / Media", run the query and walla! I find a collection of blocked 'News/Media' traffic on both port 80 and 443 including BBC - really! but no wweek.com in the last month (really, again).  OK, now I'm really digging deep and looking into 'Additional Categories' and I find Phishing,News / Media,High Risk,URL Filtering.  OK, now I am checking a half dozen blacklist sources to try to discover how/why this site is classified as High risk.  I cannot figure this out, HELP!

For http://wweek.com

Categories: News / Media

Category:
News / Media 

This category includes URLs that provide online news media such as International or regional news broadcasting and publication. Examples: http://www.cnn.com, http://www.nytimes.com, http://www.washingtonpost.com

1 Solution

Accepted Solutions
Charris_Lappas
Collaborator
‎2018-06-28 11:25 AM
Jump to solution

URL categorisation is different from application control and are two different things. At some point the specific website might be reported as having malware content or just by having advertisements with links that create high risk. This is very common and just by the number of URLs that exist false positives will exist.

You may change the category your self on the management or send a request to support. 

Thanks,

Charris

View solution in original post

0 Kudos
4 Replies
Charris_Lappas
Collaborator
‎2018-06-28 11:25 AM
Jump to solution

URL categorisation is different from application control and are two different things. At some point the specific website might be reported as having malware content or just by having advertisements with links that create high risk. This is very common and just by the number of URLs that exist false positives will exist.

You may change the category your self on the management or send a request to support. 

Thanks,

Charris

0 Kudos
RickLin
Advisor
Advisor
‎2018-07-01 04:13 AM
In response to Charris_Lappas
Jump to solution

Yes, this kind of question can check URL Categorization first through here.

URL Categorization | Check Point Software Technologies 

If it is false positive, you can request category change from here.

After submit, you will receive this kind of mail, normally no more than two days, the APCL/URLF update will apply.  

Dan_Roddy
Collaborator
‎2018-07-02 03:07 PM
In response to RickLin
Jump to solution

I understand that application control and URL filtering are different - both come in to play here as identified by the 2 blades...Let me elaborate, when a user goes here with their browser, application blade sees this as an 'application' and logs it as 'High risk'  AND URL filtering see it as something else  'Phishing'.

question#1

Why is it logged as an application when the application is not in the installed list of 7885 applications?

question #2

The web site is correctly classified as News/Media (I do not wish to change that because it is correct). What I want to know is:  Why is the site is blocked?

question #3  I do not know how the site was categorized as High risk, how did this happen?  

question #4 If a site has mixed content (443 and 80), does this imply 'High risk'?

Do I need to push back on the user request to allow it, or is there a valid reason to block it...if so I need to tell my users why and be accurate.

0 Kudos
Charris_Lappas
Collaborator
‎2018-07-02 11:47 PM
In response to Dan_Roddy
Jump to solution

Let me start by saying that false positives do exist. On the other hand, a url from one category can change in a few clicks... That is why Checkpoint is adding URL reputation, IP reputation, DNS reputation and others to the threat intelligence. Additionally, sites that are normally allowed to all users i.e News/Media is often infected with crypto miners.This is the new trend. Simply because the bad guys knows that those sites are visited by large number of people.

A url is based on URL categorisation and at the same time a URL is simply an application. A web application.

For your questions:

1) As mentioned above any url is an application as well. When it will get more popularity and analysed further it will get a name and more detailed descriptions and fined tuned policies.

2) If you check the logs, it is not block by the URL filtering but from the category as High Risk. If you block High risk categories, this is the reason regardless if you allow that URL category.

3) There is a number of reasons why a news/media site can be categorised as High Risk. The first is false positive, the second is that through Threat Intelligence was  found to contain something malicious. The third is that links inside that URL connects to malicious activities.

4) No, mix http/https does not imply high risk.

End users do not understand (and care) the technical complexities of why a URL is blocked. They just want to view the site, and most often a site that they visit from their home. 

Is up to your organisation policy to evaluate and exclude the different URLs so a definite answer does not exist.

Thanks,

Charris Lappas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top