Anti-Phishing Exceptions

The Anti-Phishing engine supports defining Allow-Lists and Block-Lists.

The Anti-Phishing engine stops scanning emails that match an Allow-List or Block-List rule. The Anti-Phishing verdict will automatically be clean (for Allow-List) or Phishing / Suspected Phishing / Spam (for Block-List).

Note - Emails in the Anti-Phishing Allow-List and Block-List are evaluated by other security engines, such as Anti-Malware and DLP.

Viewing Anti-Phishing Exceptions

To view the configured Allow-List or Block-List rules:

  1. Go to Security Settings > Exceptions > Anti-Phishing.

  2. In the drop-down from the top of the page, select the require exception type (Allow-List or  Block-List).

    The page shows a table with all the exceptions and the defined criteria.

    In the Anti-Phishing Allow-List table, the Affected emails column shows the number of emails flagged as phishing or spam by the Anti-Phishing engine but marked as clean because of the allow-list rule.

    Note - The numbers for each allow-list rule in the Affected emails column do not update in real time. It might take up to an hour for them to update.

Adding Anti-Phishing Exceptions (Allow-List or Block-List Rule)

You can add Allow-List or Block-List rule from any of these:

  • From the Mail Explorer (see Creating Allow-List and Block-List Rule)

Interaction between Check Point Allow-List and Microsoft 365 Allow-List

Administrators can configure whether allow-lists defined in Check Point will affect email enforcement by Microsoft, and vice versa.

To customize this interaction:

  1. Click Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll-down to Allow-List Settings and select the required settings.

    For more information, see Overriding Microsoft / Google sending emails to Junk folder and Applying Microsoft Allow-List also to Check Point.

  4. Click Save.

Overriding Microsoft / Google sending emails to Junk folder

When an email is allow-listed by Check Point, administrators can ensure that it is not delivered to the Junk folder by Microsoft / Google. To do that:

  1. Click Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll-down to Allow-List Settings and select the Allow-List emails that are allow-listed by Check Point also in Microsoft/Google checkbox.

  4. Click Save.

Note - This setting applies only when the email is processed by a Threat Detection policy in Prevent (Inline) protection mode.

Applying Microsoft Allow-List also to Check Point

Administrators can choose to treat every email that is allow-listed by Microsoft (SCL=-1) as allow-listed by Check Point as well. To do that:

  1. Click Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll-down to Allow-List Settings and select the Allow-List emails that are allow-listed in Microsoft (SCL = -1) also in Check Point checkbox.

  4. Click Save.

Importing Allow-List or Block-List from External Sources

For various use-cases, predominantly migrating from a legacy solution to Harmony Email & Collaboration, you might need to import a large number of items to the Allow-List or Block-List.

To import Allow-List or Block-List, contact Check Point Support.

Deleting Anti-Phishing Exceptions

To delete the Anti-Phishing Allow-List or Block-List:

  1. Go to Security Settings > Exceptions > Anti-Phishing.

  2. In the drop-down from the top of the page, select the require exception type (Allow-List or  Block-List).

  3. Select the exception(s) you want to delete.

  4. Click Actions from the top-right corner of the page and select Delete.

  5. In the confirmation pop-up that appears, click OK.