Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bcsw222
Explorer

Microsoft Attack Simulation URLs - Anti-Virus Blade Exceptions - DNS query Prevents

We're implementing Microsoft Attack Simulation training in my organization. 

The Anti-Virus blade on my gateway (R81.10) is preventing DNS queries to the Microsoft training URLs, so we need to create exceptions for them.

Microsoft has their list of Attack Simulation URLs used for phishing training published here:

Get started using Attack simulation training | Microsoft Learn

 

Reviewing similar threads, I see others have created a Site/Application with the list of URLs, and then created an Exception to their Threat Prevention policy with the Site/Application set as the Protection/Site/File/Blade. I did the same with no success:

Name: MSFT Attack Simulation Allow

Protected Scope: LAN

Protection/Site/File/Blade: MSFT_Attack_Simulation (Site/Application I created with list of URLs)

Action: Detect

Track: Log

Install On: gateway01

 

This did not work. DNS queries to these sites are still blocked. I noticed that under the Site/Application it does not list DNS under Services. It only lists http(s) and http(s)_proxy. I thought perhaps this may be why the exclusions is not working, since it's the DNS query being prevented (port 53) rather than the https connection (port 80/443).

 

Any guidance or advice from anyone who has accomplished this would be greatly appreciated. I can't imagine I'm the only person to have ever needed something like this for phishing training. 

 

I attached relevant screenshots to provide context for the information above. I'm happy to provide any additional information that may be helpful.

0 Kudos
4 Replies
Tal_Paz-Fridman
Employee
Employee

Did you create the exception directly from the log (link called Add Exception... ) ? If not can you try to see if it helps?

 

0 Kudos
bcsw222
Explorer

This works for the specific protection name e.g. Phishing.TC.c7e9QTmL (see my log screenshot for reference), but it only applies to the one URL. For example, it works for attemplate.com, but not for bankmenia.com, as the protection name for bankmenia.com is different from attemplate.com.

Microsoft has 130 URLs they use for phishing simulation, so it wouldn't be practical to create an exception for the detection for every URL as they come up.

0 Kudos
bcsw222
Explorer

Do you happen to know if the protections are specific to this one detection?

e.g. Phishing.TC.c7e9QTmL = attemplate.com (log is attached)

To expand on that - if we created an exception from a log for Phishing.TC.c7e9QTmL and applied it to our network range - is the exclusion for Phishing.TC.c7e9QTmL going to be specific for attemplate.com? 

 

It seems like each site that gets flagged by the Anti-Virus blade has its own unique protection name. I was having a hard time finding confirmation on this.

0 Kudos
PhoneBoy
Admin
Admin

I suspect each of the domains will have it's own TC protection.
I would think the exception policy you've created would also apply to DNS queries.
Might need a TAC case to investigate further: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events