Anti-Phishing Exceptions
The Anti-Phishing engine supports defining Allow-Lists and Block-Lists.
The Anti-Phishing engine stops scanning emails that match an Allow-List or Block-List rule. The Anti-Phishing verdict will automatically be clean (for Allow-List) or Phishing / Suspected Phishing / Spam (for Block-List).
|
Note - Emails in the Anti-Phishing Allow-List and Block-List are evaluated by other security engines, such as Anti-Malware and DLP. |
Viewing Anti-Phishing Exceptions
To view the configured Allow-List or Block-List rules:
-
Go to Security Settings > Exceptions > Anti-Phishing.
-
In the drop-down from the top of the page, select the require exception type (Allow-List or Block-List).
The page shows a table with all the exceptions and the defined criteria.
In the Anti-Phishing Allow-List table, the Affected emails column shows the number of emails flagged as phishing or spam by the Anti-Phishing engine but marked as clean because of the allow-list rule.
Note - The numbers for each allow-list rule in the Affected emails column do not update in real time. It might take up to an hour for them to update.
Adding Anti-Phishing Exceptions (Allow-List or Block-List Rule)
You can add Allow-List or Block-List rule from any of these:
-
From the Anti-Phishing Exceptions
-
Go to Security Settings > Exceptions > Anti-Phishing.
-
In the drop-down from the top of the page, select the require exception type (Allow-List or Block-List).
-
Under Filters, define the criteria for filtering the emails, and click Search.
-
After refining the email criteria, click Create Allow-List Rule to create a allow-list rule or Create Block-List Rule to create a block-list rule.
-
If required, enter a description for the rule in the Comment field and click OK.
-
-
From the Mail Explorer (see Creating Allow-List and Block-List Rule)
-
From the email profile page
-
Open the required email profile.
-
Under Security Stack, select Similar Emails / Create Rules.
-
Under Filters, define the criteria for filtering the emails, and click Search.
-
After refining the email criteria, click Create Allow-List Rule to create a allow-list rule or Create Block-List Rule to create a block-list rule.
-
If required, enter a description for the rule in the Comment field and click OK.
-
While refining the criteria for creating Allow-List or Block-List, you can use these filters.
Filter Name |
Description |
||
---|---|---|---|
Date Received |
Events in the last year, month, week, day, or hour. Also, using Range, you can choose to select the emails on a specific date and time. |
||
Quarantine State |
Select the events based on these quarantine states.
|
||
Recipients |
Emails that contain a specific recipient or a recipient that match a specific term. |
||
Subject |
Emails that match a specific subject. |
||
Sender Name |
Emails from a specific sender. |
||
Sender Domain |
Emails from a specific domain. |
||
Sender Email |
Emails from a specific email address. |
||
Client Sender IP |
Emails from a specific client and IP address. |
||
Server IP |
Emails from a specific server IP address. |
||
Links in body |
Emails that has links to external resources in the body of the email. |
||
Attachments MD5 |
Emails that has attachments with specific MD5. |
||
Headers |
Emails that contain specified headers.
|
Interaction between Check Point Allow-List and Microsoft 365 Allow-List
Administrators can configure whether allow-lists defined in Check Point will affect email enforcement by Microsoft, and vice versa.
To customize this interaction:
-
Click Security Settings > Security Engines.
-
Click Configure for Anti-Phishing.
-
Scroll-down to Allow-List Settings and select the required settings.
For more information, see Overriding Microsoft / Google sending emails to Junk folder and Applying Microsoft Allow-List also to Check Point.
-
Click Save.
Overriding Microsoft / Google sending emails to Junk folder
When an email is allow-listed by Check Point, administrators can ensure that it is not delivered to the Junk folder by Microsoft / Google. To do that:
-
Click Security Settings > Security Engines.
-
Click Configure for Anti-Phishing.
-
Scroll-down to Allow-List Settings and select the Allow-List emails that are allow-listed by Check Point also in Microsoft/Google checkbox.
-
Click Save.
|
Note - This setting applies only when the email is processed by a Threat Detection policy in Prevent (Inline) protection mode. |
Applying Microsoft Allow-List also to Check Point
Administrators can choose to treat every email that is allow-listed by Microsoft (SCL=-1) as allow-listed by Check Point as well. To do that:
-
Click Security Settings > Security Engines.
-
Click Configure for Anti-Phishing.
-
Scroll-down to Allow-List Settings and select the Allow-List emails that are allow-listed in Microsoft (SCL = -1) also in Check Point checkbox.
-
Click Save.
Importing Allow-List or Block-List from External Sources
For various use-cases, predominantly migrating from a legacy solution to Harmony Email & Collaboration, you might need to import a large number of items to the Allow-List or Block-List.
To import Allow-List or Block-List, contact Check Point Support.
Deleting Anti-Phishing Exceptions
To delete the Anti-Phishing Allow-List or Block-List:
-
Go to Security Settings > Exceptions > Anti-Phishing.
-
In the drop-down from the top of the page, select the require exception type (Allow-List or Block-List).
-
Select the exception(s) you want to delete.
-
Click Actions from the top-right corner of the page and select Delete.
-
In the confirmation pop-up that appears, click OK.