This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Time to Click Blocks Almost all URLs

Is anyone else having issues with Time to Click blocking most all URL links as "Blocked Request:  Page contains malicious content".  When in fact there is no malicious contact.

This is affecting our business.  It is also in-realistic for the IT department to white list every legitimate email URL.

What weird is we have Sophos XG and the default workplace policy doesn't block the URL.

 

How do the rest of you deal with this issue?



This thread was automatically locked due to age.
Parents
  • We are having the same problem. The only solution appears to be a massive Whitelist, but the same problem exists here on that one, too; it is not realistic to try to whitelist that much of the unknown.

    Unless Sophos could provide us something from their arsenal? A good general list would probably be a great start- I would imagine Sophos has lists in the thousands of many categories.

    A feature request might be to allow more granular configuration of the Click Protection feature like - block only known bad links, all others are not modified.

  • I have had a support ticket open for over 4 days now on this issue and no reply.

    I had a user yesterday tell me that "Time to Click" blocked the Microsoft URL links in an email that was received from Microsoft.

     

  • I submitted a support ticket and received a response in the matter- basically what I am getting is with Click Protection All URLs are replaced, minus your whitelists and exceptions, or the feature is disabled.

    In case you missed some of the settings I pointed them out below (no, I don't work for Sophos). They might work enough for you but they were not enough for my situation (there's just too much internet out there to filter):

    -On the Click Protection rule(s) make sure to check the box "Do Not Re-Write Whitelisted URLs" under "Rule Config". (This probably burned your Microsoft link, even though it is a safe site it still gets a redirected URL until you whitelist and check this box or exclude the sender)
    -Also on the click protection rule(s), make sure the settings for different risk levels have different actions associated- like Block, Allow, Allow and Warn. You may just have everything blocked, but need to set this to "Allow" or "Allow and Warn" for Medium, Low, and Unverified- even 'safe' links that are not whitelisted are replaced by the appliance. Keep in mind, any URL replaced by the appliance is only accessible internally; this burned me already too. There is a workaround, I am told, but it did not sound appealing to me either.
    -I was able to add URLs to the whitelisted URLs under Configuration> Allow/Block Lists> Whitelist URLs. Any URLs that referenced these domains were not replaced, regardless the senders.
    -Additionally, senders and/or their domains were able to be whitelisted per the Click Protection rule (Select Users> Exclude Sender). I was able to add the exception for *@domain.com (for my domain) and allow links internally.

    This was the best I could do, but I was not able to produce a realistic white list. There is too much internet and too many email domains to try to define. I can't (and won't) follow my users around all day one at a time and whitelist their contacts, their contacts contacts, their contacts' websites, and their contacts' contacts' websites.(And their fathers' fathers' father's father....)

    The feature is just not Granular enough for us yet. I enabled this configuration in response to an influx of bad URLs being sent to my users (and a few viruses as a result) and ultimately spent a Saturday testing and removing this configuration. It would be really great if I could apply the same blacklist Sophos uses to identify dangerous/bad links, but not replace the rest of the URLs. Yes, that does leave an opening and run some risk, but not nearly as much risk as completely unprotected.

  • Just a side note: This might be something the "Sandstorm" feature is able to help with- basically a sandbox for your email appliance to detonate links and attachments. Sorry I can't speak on that module, the info I can find so far is extremely vague.

    Not a good time for me to test things right now, but maybe an upcoming project.

  • Time to Click re-write is hit and miss.  Some URLs never get re-written and the are toxic.  Sometime even the Sophos URL do and some don't.  The notification email for this thread got re-written.

    I really don't want to start poking a stick at SEA when there is so much works and don't works for Time to Click.

  • FYI I have a case open with Sophos Support since the 22nd of August and on the 6th of September i have a known issue SEA-805 for the time-of-click completely not working on my SEA (500 internal server error on every url)

    Since then (more than 4 months now) I've been requesting updates and the only answer I get is "wait for release 4.2.1.0 which does not have yet a delivery date."

    Surprisingly the support indicate a real professional workaround which is "disable time-of-click and monitor the SEA rss blog feed for new releases in the future"

Reply
  • FYI I have a case open with Sophos Support since the 22nd of August and on the 6th of September i have a known issue SEA-805 for the time-of-click completely not working on my SEA (500 internal server error on every url)

    Since then (more than 4 months now) I've been requesting updates and the only answer I get is "wait for release 4.2.1.0 which does not have yet a delivery date."

    Surprisingly the support indicate a real professional workaround which is "disable time-of-click and monitor the SEA rss blog feed for new releases in the future"

Children
  • Massimo,

    I have seen many users complaining about Time Of Click and even on my SEA installation, T-o-C is not working as expected. The ETA for 4.2.1 is not established yet.

    Time of Click protecion is a feature that we need and must work out of a box as other vendors do.

    Let's hope the new release will come soon and it works!

    Thanks

  • Hello Everybody,

     

    I'm testing the T-o-C and it isn't working. Always get a "502 bad gateway --- nginx". Is there an update on this request?

     

    Thanks everybody for your help.

     

    Regards,

     

    Jose