- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi,
We have an issue with the URL reputation engine creating a false positive and I cannot find a way to whitelist this to stop it happening. This is going to keep happening because it is the URL in the company's bank's email disclaimer (Barclays).
URL Reputation is classifying the url as malicious, I think becuase it has a full stop and then speech marks after it (and no space before th '.' It looks like this http://publicresearch.barclays.com."
I have run the actual URL through VirusTotal and it is coming up as clean - it would be helpful if Check Point had something I could run it through to check against ThreatCloud - I think I read that something is being considered in that area.
Anyway, the real issue here is that I need to be able to do is find a way to stop the URL Reputation check from marking these emails as malicious.
Any ideas?
Thanks,
John
It's now possible to add domain's URL detected by Check Point URL reputation to 'Allow-list Domains'. This will prevent engine from sending everything from that domain for Check Point reputation cloud analysis. Open Event itself, click 'Allow-list Domains' and tick the checkbox near the domain name, click 'Update Domains' to apply.
To remove the domain from Allowed domain list, un-tick the checkbox under same event
Hello John,
There is currently no way to whitelist a URL locally, in your CloudGuard SaaS portal. While we are planning on adding this feature, I do not have an ETA for release at this time. However, I checked this URL against our URL reputation service and it does not seem to be black listed. There might be a bug causing this issue.
Could you please open a ticket to support to report the problem? You can find information here about how to open Service Requests in case you are not familiar with the process. It would be good to include some examples of events showing that this URL has been categorized as malicious.
Feel free to contact me directly at abigaels@checkpoint.com in case the case is not moving forward.
Thanks,
Abigael Levy
This as resolved by TAC, R&D got involved and adjusted the engine.
The offending email had an html link in their signature/disclaimer which ended ." - the '.' actually just being a full stop at the end of the sentence. This was being seen as potentially harmful code.
These emails no longer get classified as suspicious.
It's now possible to add domain's URL detected by Check Point URL reputation to 'Allow-list Domains'. This will prevent engine from sending everything from that domain for Check Point reputation cloud analysis. Open Event itself, click 'Allow-list Domains' and tick the checkbox near the domain name, click 'Update Domains' to apply.
To remove the domain from Allowed domain list, un-tick the checkbox under same event
That's really good to hear, thank you. I am such a big fan of this product and how well it does its job - it's great to know these little extras (or some not so little) are all being worked on to make this product the very best of breed!
Do you happen to know what will happen if we whitelist a domain in this way but then an email comes 'forged' from this domain with say a bad SPF record? Would this whitelist method override that or do we check that the domain is genuine *before* parsing the whitelist?
Adding domain to Allowed domain list the way described will result in not sending email from that domain to Check Point URL reputation engine, the second Anti-Phishing engine will still perform the SPF check
👍
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY