Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1048 Views 7 Replies Latest reply: Jun 20, 2013 11:51 AM by Brad McGarr RSS
frankm Apprentice 62 posts since
Jan 10, 2013
Currently Being Moderated

Jun 8, 2013 3:01 PM

Allow Lists - Org vs. ClickProtect

Just need to verify that when ClickProtect policies are enabled, they override the organizational allow lists? We have a few clients that were a bit annoyed that when they had entries in their org allowed list, that the ClickProtect policies took precedence. I would tend to agree, unless I missed it, I could not find anything in the admin guide on this priority sequence.

  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    1. Jun 17, 2013 10:44 AM (in response to frankm)
    Re: Allow Lists - Org vs. ClickProtect

    Frank,

     

    ClickProtect has it's own allow list entry for exempting items from being affected by ClickProtect. The sender allow list  is designed to only affect Spam and Content filtering, in order to prevent the allow list entry from being exploited to deliver attachments that violate corporate policies, or, URLs that can link to virus payloads or phishing sites.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    3. Jun 19, 2013 10:51 AM (in response to frankm)
    Re: Allow Lists - Org vs. ClickProtect

    The help documentation for the Sender Allow list states that it exempts senders from content and spam filtering, and the help file for the click protect allow list tab specifies that the allow list is for URLS that should always be allowed. The ClickProtect sender allow does not take precedence over the sender allow list, because the sender allow list only exempts messages from content and spam policies. Any other of the policy tabs, virus, attachment, click protect, email authentication, are not affected by the sender allow list.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    5. Jun 20, 2013 10:36 AM (in response to frankm)
    Re: Allow Lists - Org vs. ClickProtect

    Frank,

     

    The ClickProtect allow list looks only at URLs, not the sender. Each URL would have to be allow listed.

     

    The reason for this is that "trusted" senders also send out malicious mail, or are spoofed. Because SPF records are not always accurate (and can be spoofed as well), and DKIM is not widely adopted, the vast majority of Allow List entries are domain only, and are very often the cause of spoofed spam and malicious mail being delivered. Just this week we have seen messages spoofing Wellsfargo.com, and several customers allow listed that domain and had ClickProtect turned off, and had no SPF Record Validation, SPF Enforcement, or DKIM Enforcement in place. The result? End users recieved phishing mail. Our job is to limit the potential security risks. A phishing email delivered or an executable that isn't a virus itself but connects to a remote server and downloads a virus payload are security risks that hurt businesses, hurt our reputation (because the question becomes why didn't we stop it... even though the allow list is the reason), create more spam problems which hurts our customer's reputation online, compromise information of our client's customers, etc.

     

    We understand that some customers would want a "deliver no matter what, except attached virus" list. It's tempting to do so. Until that trusted sender is compromised and blasts out thousands of phishing emails or virus payload links, or is the subject of a spoof attack that exploits allow list entries and is now spending man hours removing viruses from their LAN, repairing their IP reputation with hundreds of black list providers, contacting customers about stolen data, and generally having business come to a halt. A situation that happens all too often.

     

    The SaaS Product is designed to be able to protect against those kind of threats. If a trusted sender is sending low-risk links, and ClickProtect is set to just pass those clicks on, then the negative impact will be minimal. If a trusted sender is sending attachments that violate an organization's policy, discussions can be made as to why those attachments are being sent and if perhaps another method is available (e.g. SFTP, Online File Transfer, etc.). With thoughtful configuration and routine review of policies, an organization can achieve their goals without relying on unsecure methods such as absolute allow lists.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    7. Jun 20, 2013 11:51 AM (in response to frankm)
    Re: Allow Lists - Org vs. ClickProtect

    Exactly, Frank! These guys are getting trickier and tricker, and as people become more tuned to what is 'obvious' spam, they're finding new ways to deliver their scams, their attacks, and all of the other garbage. It's a never ending race we're all in, and quite often it requires painting the big picture to admins and users that 10 minutes of annoyance today is better than 80 hours of panic and hard work later. Because a successful attack is not about "IF", but "WHEN". At some point a phishing email will be successful and gain credentials to a company's proprietary documents via a well-meaning user. At some point a virus payload will be installed by accident. Mitigating disaster to the best of our abilities takes resolve, constant observance, practice, compliance, but above all, resisting the temptation to take the easy road now.

     

    It's something I've learned from years in Disaster Relief with the Red Cross, training in my local Community Emergency Response Team, and time spent as a support volunteer for a fire department. Just as an example, the folks who get to come back to their homes after a wildfire are those who planned ahead, took the steps needed to minimize and mitigate loss, planned for the enevitable evacuation, protect their assets, and swallowed the occational bitter pill (such as cutting down a tree too close to the house, removing the asthetic value in favor of defensible space). The same is true with computer security. The occational annoyance versus deep business impact recovering from a security compromise. The tree in the yard, or the house after a wildfire.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points