Anti-Phishing Exceptions

The Anti-Phishing engine supports defining Allow-Lists and Block-Lists.

The Anti-Phishing engine stops scanning emails that match an Allow-List or Block-List rule. The Anti-Phishing verdict will automatically be clean (for Allow-List) or Phishing / Suspected Phishing / Spam (for Block-List).

Note - Emails in the Anti-Phishing Allow-List and Block-List are evaluated by other security engines, such as Anti-Malware and DLP.

Viewing Anti-Phishing Exceptions

To view the configured Allow-List or Block-List rules:

  1. Go to Security Settings > Exceptions > Anti-Phishing.

  2. In the drop-down from the top of the page, select the require exception type (Allow-List or  Block-List).

    The page shows a table with all the exceptions and the defined criteria.

    In the Anti-Phishing Allow-List table, the Affected emails column shows the number of emails flagged as phishing or spam by the Anti-Phishing engine but marked as clean because of the allow-list rule.

    Note - The numbers for each allow-list rule in the Affected emails column do not update in real time. It might take up to an hour for them to update.

Adding Anti-Phishing Exceptions (Allow-List or Block-List Rule)

You can add Allow-List or Block-List rule from any of these:

    1. Go to Security Settings > Exceptions > Anti-Phishing.

    2. In the drop-down from the top of the page, select the require exception type (Allow-List or  Block-List).

    3. Under Filters, define the criteria for filtering the emails, and click Search.

    4. After refining the email criteria, click Create Allow-List Rule to create a allow-list rule or Create Block-List Rule to create a block-list rule.

    5. If required, enter a description for the rule in the Comment field and click OK.

  • From the Mail Explorer (see Creating Allow-List and Block-List Rule)

    1. Open the required email profile.

    2. Under Security Stack, select Similar Emails / Create Rules.

    3. Under Filters, define the criteria for filtering the emails, and click Search.

    4. After refining the email criteria, click Create Allow-List Rule to create a allow-list rule or Create Block-List Rule to create a block-list rule.

    5. If required, enter a description for the rule in the Comment field and click OK.

While refining the criteria for creating Allow-List or Block-List, you can use these filters.

Filter Name

Description

Date Received

Events in the last year, month, week, day, or hour.

Also, using Range, you can choose to select the emails on a specific date and time.

Quarantine State

Select the events based on these quarantine states.

  • Quarantined

  • Non Quarantined

  • Display All

Recipients

Emails that contain a specific recipient or a recipient that match a specific term.

Subject

Emails that match a specific subject.

Sender Name

Emails from a specific sender.

Sender Domain

Emails from a specific domain.

Sender Email

Emails from a specific email address.

Client Sender IP

Emails from a specific client and IP address.

Server IP

Emails from a specific server IP address.

Links in body

Emails that has links to external resources in the body of the email.

Attachments MD5

Emails that has attachments with specific MD5.

Headers

Emails that contain specified headers.

Note - You can use the Headers field to create an Allow-List or Block-List, but you can not filter the emails based on headers.

Interaction between Check Point Allow-List and Microsoft 365 Allow-List

Administrators can configure whether allow-lists defined in Check Point will affect email enforcement by Microsoft, and vice versa.

To customize this interaction:

  1. Click Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll-down to Allow-List Settings and select the required settings.

    For more information, see Overriding Microsoft / Google sending emails to Junk folder and Applying Microsoft Allow-List also to Check Point.

  4. Click Save.

Overriding Microsoft / Google sending emails to Junk folder

When an email is allow-listed by Check Point, administrators can ensure that it is not delivered to the Junk folder by Microsoft / Google. To do that:

  1. Click Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll-down to Allow-List Settings and select the Allow-List emails that are allow-listed by Check Point also in Microsoft/Google checkbox.

  4. Click Save.

Note - This setting applies only when the email is processed by a Threat Detection policy in Prevent (Inline) protection mode.

Applying Microsoft Allow-List also to Check Point

Administrators can choose to treat every email that is allow-listed by Microsoft (SCL=-1) as allow-listed by Check Point as well. To do that:

  1. Click Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll-down to Allow-List Settings and select the Allow-List emails that are allow-listed in Microsoft (SCL = -1) also in Check Point checkbox.

  4. Click Save.

Importing Allow-List or Block-List from External Sources

For various use-cases, predominantly migrating from a legacy solution to Harmony Email & Collaboration, you might need to import a large number of items to the Allow-List or Block-List.

To import Allow-List or Block-List, contact Check Point Support.

Deleting Anti-Phishing Exceptions

To delete the Anti-Phishing Allow-List or Block-List:

  1. Go to Security Settings > Exceptions > Anti-Phishing.

  2. In the drop-down from the top of the page, select the require exception type (Allow-List or  Block-List).

  3. Select the exception(s) you want to delete.

  4. Click Actions from the top-right corner of the page and select Delete.

  5. In the confirmation pop-up that appears, click OK.