Solved: best way to block new zip domain

emiliano_mastro · ‎2023-06-02

hi guys,
I have read about a new phishing technique called "file archiver in the browser" can be leveraged to "emulate" a file archiver software in a web browser when a victim visits a .ZIP domain, so I would like block any sites of the .zip domain on my R81.10 firewall.

What is the best way to do that without taking a lot of resources of the firewall?

I was thinking using "custom application site" without regex *.zip

On my firewall I have all capabilities enabled (url filtering, and application control, https inspection).

thanks a lot

Bob_Zimmerman · ‎2023-06-05

Put a slash after it, as I described in the most recent post in the thread I linked.

*.zip/

View solution in original post

PSushko · ‎2023-06-02

Personally, I was hoping I could do it with a simple *.zip in a custom application, but that ended up matching regular zip file downloads, and even googling of the string ".zip". I then tried with a much more complex regex: /^(?:(?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)+(zip|mov)$/ (without the /, simply used those to delimit the regex in this comment).

But policy fails to push with this regex. It might be too complex for CheckPoint. I have a ticket open, I'll keep you updated on the results.

the_rock · ‎2023-06-02

Thats exactly how I blocked it in my R81.20 lab with https inspection enabled and once tested, it was indeed blocked fine. Not sure if there is more 'official" way of doing it though : - )

Andy

PSushko · ‎2023-06-02

On R80.40 setting up a custom application/site with "*.zip" non-regex expression with HTTPS inspection enabled hits on every request that has .zip in it (i.e.: test.zip {good}, test.com/test.zip {bad}, test.com/test?q=test.zip {bad}).

the_rock · ‎2023-06-02

I believe ya, as I only tested on R81.20, so its most likely different.

Andy

emiliano_mastro · ‎2023-06-05

Hi,

I have just tried, on R81.10, an Application/Site rule *.zip (no regex), but unfortunately it doesn't work well because it blocks even zip files

the_rock · ‎2023-06-05

I will try later today with R81.10, but logically, unless you have content awareness blade enabled to block.zip extension, app control/urlf should not block it.

Andy

Bob_Zimmerman · ‎2023-06-05

Put a slash after it, as I described in the most recent post in the thread I linked.

*.zip/

PSushko · ‎2023-06-05

This works for me!

emiliano_mastro · ‎2023-06-05

Yessss, adding the slash (*.zip/) it works well !!!

thanks a lot

the_rock · ‎2023-06-05

I tested it exactly way you described and was fine, even in R81.10. But. as @Bob_Zimmerman advised, if it works with /, then use that.

Andy

Bob_Zimmerman · ‎2023-06-02

I recently explored the Custom Application/Site expression matching pretty extensively and arrived at this set of expressions. Later in the thread (currently the bottom-most post), I also described my findings after enabling HTTPS Inspection.

Yuber_Sierra_av · ‎2023-06-05

I found the following regex in another topic, and worked for me:

Just replace TLD with a domain you want to match.

^[^:\/]+:\/?\/?[^\/]+\.TLD\/

Regex for TLD Blocks - Check Point CheckMates

Bob_Zimmerman · ‎2023-06-05

That's a lot messier than it needs to be. Almost none of the backslashes are needed. It also matches exactly one subdomain. www.somesite.tld would not be matched. Here's a better version, which is basically what I wrote in the linked post:

^[^:]+?://([^/]+?\.)+TLD/

It matches the scheme non-greedily, which will be faster in almost all cases. It removes the optionality for the slashes in the :// separator between the scheme and the domain, since they are always present in the input space. Finally, it requires one subdomain but matches any number.

Are you a member of CheckMates?

best way to block new zip domain