This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bcsw222
Participant
‎2024-02-08 06:24 AM

Microsoft Attack Simulation URLs - Anti-Virus Blade Exceptions - DNS query Prevents

We're implementing Microsoft Attack Simulation training in my organization. 

The Anti-Virus blade on my gateway (R81.10) is preventing DNS queries to the Microsoft training URLs, so we need to create exceptions for them.

Microsoft has their list of Attack Simulation URLs used for phishing training published here:

Get started using Attack simulation training | Microsoft Learn

 

Reviewing similar threads, I see others have created a Site/Application with the list of URLs, and then created an Exception to their Threat Prevention policy with the Site/Application set as the Protection/Site/File/Blade. I did the same with no success:

Name: MSFT Attack Simulation Allow

Protected Scope: LAN

Protection/Site/File/Blade: MSFT_Attack_Simulation (Site/Application I created with list of URLs)

Action: Detect

Track: Log

Install On: gateway01

 

This did not work. DNS queries to these sites are still blocked. I noticed that under the Site/Application it does not list DNS under Services. It only lists http(s) and http(s)_proxy. I thought perhaps this may be why the exclusions is not working, since it's the DNS query being prevented (port 53) rather than the https connection (port 80/443).

 

Any guidance or advice from anyone who has accomplished this would be greatly appreciated. I can't imagine I'm the only person to have ever needed something like this for phishing training. 

 

I attached relevant screenshots to provide context for the information above. I'm happy to provide any additional information that may be helpful.

Preview file
13 KB
Preview file
62 KB
Preview file
113 KB
0 Kudos
4 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-02-08 06:31 AM

Did you create the exception directly from the log (link called Add Exception... ) ? If not can you try to see if it helps?

 

0 Kudos
bcsw222
Participant
‎2024-02-08 06:35 AM
In response to Tal_Paz-Fridman

This works for the specific protection name e.g. Phishing.TC.c7e9QTmL (see my log screenshot for reference), but it only applies to the one URL. For example, it works for attemplate.com, but not for bankmenia.com, as the protection name for bankmenia.com is different from attemplate.com.

Microsoft has 130 URLs they use for phishing simulation, so it wouldn't be practical to create an exception for the detection for every URL as they come up.

0 Kudos
bcsw222
Participant
‎2024-02-16 05:31 AM
In response to Tal_Paz-Fridman

Do you happen to know if the protections are specific to this one detection?

e.g. Phishing.TC.c7e9QTmL = attemplate.com (log is attached)

To expand on that - if we created an exception from a log for Phishing.TC.c7e9QTmL and applied it to our network range - is the exclusion for Phishing.TC.c7e9QTmL going to be specific for attemplate.com? 

 

It seems like each site that gets flagged by the Anti-Virus blade has its own unique protection name. I was having a hard time finding confirmation on this.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-16 07:37 AM
In response to bcsw222

I suspect each of the domains will have it's own TC protection.
I would think the exception policy you've created would also apply to DNS queries.
Might need a TAC case to investigate further: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events