This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bcsw222
Participant
‎2024-02-08 06:24 AM

Microsoft Attack Simulation URLs - Anti-Virus Blade Exceptions - DNS query Prevents

We're implementing Microsoft Attack Simulation training in my organization. 

The Anti-Virus blade on my gateway (R81.10) is preventing DNS queries to the Microsoft training URLs, so we need to create exceptions for them.

Microsoft has their list of Attack Simulation URLs used for phishing training published here:

Get started using Attack simulation training | Microsoft Learn

 

Reviewing similar threads, I see others have created a Site/Application with the list of URLs, and then created an Exception to their Threat Prevention policy with the Site/Application set as the Protection/Site/File/Blade. I did the same with no success:

Name: MSFT Attack Simulation Allow

Protected Scope: LAN

Protection/Site/File/Blade: MSFT_Attack_Simulation (Site/Application I created with list of URLs)

Action: Detect

Track: Log

Install On: gateway01

 

This did not work. DNS queries to these sites are still blocked. I noticed that under the Site/Application it does not list DNS under Services. It only lists http(s) and http(s)_proxy. I thought perhaps this may be why the exclusions is not working, since it's the DNS query being prevented (port 53) rather than the https connection (port 80/443).

 

Any guidance or advice from anyone who has accomplished this would be greatly appreciated. I can't imagine I'm the only person to have ever needed something like this for phishing training. 

 

I attached relevant screenshots to provide context for the information above. I'm happy to provide any additional information that may be helpful.

Site_Application_DNS not listed.png
Preview file
13 KB
Anti Virus Prevent Log.png
Preview file
62 KB
Threat Prevention Exception.png
Preview file
113 KB
0 Kudos
4 Replies
Tal_Paz-Fridman
Employee
Employee
‎2024-02-08 06:31 AM

Did you create the exception directly from the log (link called Add Exception... ) ? If not can you try to see if it helps?

 

0 Kudos
bcsw222
Participant
‎2024-02-08 06:35 AM
In response to Tal_Paz-Fridman

This works for the specific protection name e.g. Phishing.TC.c7e9QTmL (see my log screenshot for reference), but it only applies to the one URL. For example, it works for attemplate.com, but not for bankmenia.com, as the protection name for bankmenia.com is different from attemplate.com.

Microsoft has 130 URLs they use for phishing simulation, so it wouldn't be practical to create an exception for the detection for every URL as they come up.

0 Kudos
bcsw222
Participant
‎2024-02-16 05:31 AM
In response to Tal_Paz-Fridman

Do you happen to know if the protections are specific to this one detection?

e.g. Phishing.TC.c7e9QTmL = attemplate.com (log is attached)

To expand on that - if we created an exception from a log for Phishing.TC.c7e9QTmL and applied it to our network range - is the exclusion for Phishing.TC.c7e9QTmL going to be specific for attemplate.com? 

 

It seems like each site that gets flagged by the Anti-Virus blade has its own unique protection name. I was having a hard time finding confirmation on this.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-16 07:37 AM
In response to bcsw222

I suspect each of the domains will have it's own TC protection.
I would think the exception policy you've created would also apply to DNS queries.
Might need a TAC case to investigate further: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top