HTTPS exception list updates

Hello,
Whenever a firmware is updated and Watchguard has decided to change something in the exception list, does it reflect in my custom HTTPS-Client.Standard proxy configuration or do I need to re-create my Proxy Action to incorporate the latest changes?

WG has a content inspection exception list PDF on the web, but it does not have a date nor firmware version. Adobe Reader states that it was created 12/2017 - when v12.1 was introduced. The latest 12.4.1 u1 firmware update states that the exception list has been updated regarding DNSWatch - but there was no mention of what addresses or regexp settings were added. Has this been the only exception list update since 12.1? (I'm not going to go through all the release notes)

Thanks.

Best Answer

Answers

  • Thank you for the clarification!

  • The exception for "*.cloudfront.net" allows downloads of executable files that normally would be blocked by one's HTTPS/DPI proxy. To me, that could be a MASSIVE risk if just anyone can use a cloudfront.net site to host files. What is there to stop malware writers from storing their ransomware files on cloudfront.net servers? Same thing for globally allowing all dropbox.com, etc., fie storage sites.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5 Update 1 build 599856
    WSM 12.5 build 596863
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • You're right Gregg, there are plenty of hazards out there.

    Many businesses need to use Dropbox, Teams, Skype, Sharepoint, Adobe Cloud etc - services allowing file sharing or downloads, and I'm not in a position to just deny access to them.

    The end points should have their own AV (+TDR) and other solutions such as Software Restriction Policies and whatever security best practices are there. WG DPI is just another AV scan and can't guarantee 100% detection anyway.

  • Ville_H,

    Your "WG DPI is just another AV scan and can't guarantee 100% detection anyway" comment is incorrect. HTTPS with DPI can BLOCK executable file downloads, without any need to add a GAV scan to them, for sites that are not allowed. This one feature alone can stop drive-by downloads and stop users from downloading pretty little screen savers that are malware-packed. There have been times when completely legitimate remote access files (LogMeIn, etc.) have been downloaded by end users who got calls from fake "Microsoft support" people, then allowed those scammers onto their computers. A GAV scan or endpoint AV scan would not block those files, but an HTTPS/DPI scan WILL stop them if set to to do so, regardless of the file's content.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5 Update 1 build 599856
    WSM 12.5 build 596863
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Because of the concerns related to WG adding any web site, including with wild cards, to their global Inspect exclusion list, I have opened an enhancement post, for discussion on this topic:

    HTTPS Content Inspection Exception List Management
    https://community.watchguard.com/watchguard-community/discussion/270/https-content-inspection-exception-list-management

Sign In to comment.