Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

Why "*.discordapp.com" is on the Managed TLS Exclusion List on v18?

Hi,

 

Nowadays there's lot's of malware going through discord, I would like to know why "discordapp[.]com" is on the Managed TLS Exclusion List.

Currently the DPI Engine of v18 is capable of fully decrypting the connection, of course with the XG CA installed on the machine, so It doesn't make sense having it on the exclusion list. Can we at least be able to edit that list?

 

Here's an example of a malware being sent over discord:

Be careful opening this link, It has been identified as "Troj/Bbindi-W".

https :// cdn [.] discordapp [.] com/attachments/ 14836703273025566/ 714838662537281616/ nexo.exe

 

Since the domain has on the exclusion list, the malware passed through XG without any issue, there has already a SSL/TLS Decrypt Rule in place over the machine that accessed this domain.

 

Thanks!

  • In reply to Keyur:

    Hi ,

     

    The issue here isn't the SSL/TLS Inspection itself, I would just like to know why discord is on the list made by the own Sophos development team.

    As stated on the docs you sent, "Managed TLS exclusion list: The list contains websites known to be incompatible with SSL/TLS inspection and is updated through firmware updates."

    The problem here, there is no way to edit that list. Currently the own discord application for Windows/Linux/Mac supports being mitm and decrypted by XG, of course only if you have the CA installed on the desired machine.

     

    Removing the "Managed TLS Exclusion List" from the first and default rule inside the SSL/TLS Inspection tab solves the discord issue, but at the same time all the other's domain's that were on the list won't be applied anymore on the action "Don't Decrypt". Example:

    I've already have setup the decryption rules on the machines that already have the XG CA imported on it.

    And while opening the discord application, I can see all connections being decrypted inside the XG log viewer.

     

    Thanks!

  • In reply to Prism:

    It's probably on the list as when Sophos have been testing they found issues with the description of discord - so to avoid any issues with customers they have had to exclude it from the TLS/SSL side of things.

     

    Problem with discord is that there is no particular IP / Server ranges to exclude apart from the TLD - so it is what it is.

     

    The App may work on Windows - of Android and iPhones....it does not with MITM style attacks.

  • In reply to BLS:

    Thanks for the answer.

    Interesting enough, It's been working flawless on Windows/Linux in here.

     

    About the Android/IOS, it's another issue unrelated to the currently one I've asked on this thread. Pretty much all applications on both of them dislikes being MITM. Which is expected.

     

    Thanks!

  • In reply to Prism:

    That's because most of the time windows apps pay attention to the additional user installed CAs - which is what's required to do the TLS decryption as you know.

     

    iOS devices work differently, and the apps tend to only pay attention to the system installed FAs - which can be very annoying in MITM situations such as proxy scanners.

     

    Some apps don't even pay attention to the proxy settings - but interestingly some that don't look at the CA when accessing sites decrypted by the XG, will do so when they access the system using a proxy server...

  • Hi together,

    I ended up in removing the managed list from the exclusions and build my own specific ones, one for Apple or MS as they contain many domains and the standard local exclusion list for some specific domains/apps etc. which can easily be done in the log viewer.

    These are the reasons for my decision:

    - The managed list contains many world-wide domains and services I will never ever use. The list will grow continuously and probably adds an overhead in terms of performance.

    - There are already some examples in the list that don't make sense, e.g. apple.com is excluded which will contain all subdomains anyway. But some *.apple.com subdomains were added to the list as well... (?)

    - As your example with discord shows: The list is sometimes not really necessary. E.g. I haven't noticed any problems using adobe, citrix, vmware or aws, yet - although the list would exclude them.

    - I'm simply interested in this stuff from a security and web architecture perspective and as long as this is manageable with little time I happy with it.

    Best Regards

    Dom

  • In reply to Dom Nik:

    Apple introduce and remove so many sub-domains under the .apple.com FQDN that it's impossible not to exclude the whole thing - as they have new services, new update servers go love, some get removed, it's hard to keep track.

  • In reply to Dom Nik:

    The overall reason for having a "Managed Exclusion List" that is not editable by users is that Sophos can add and remove items from that list without overwriting anything that an admin has done.  If we make the list editable and an admin changes it, then we update the list it would overwrite those changes.

    But you don't need to use it.  Just disable the rule and do it yourself.  You can also copy the list of entries to a text file, eliminate the ones you don't want, create a new URL group and a new rule for your own self-managed list.

    Also remember that in addition to TLS exclusions there are Web Exceptions which can turn off HTTPS scanning.

     

    Dom Nik

    These are the reasons for my decision:

    - The managed list contains many world-wide domains and services I will never ever use. The list will grow continuously and probably adds an overhead in terms of performance.

     

    I understand the concern - if you don't use xyz service then you don't care if it doesn't work due to decryption and maybe would rather it didn't.  It potentially adds future IT work if you decide to use it later.

    As for performance, I've personally done tested TLS exclusions lists of 10,000 URLs and the impact on performance is negligible.

    - As your example with discord shows: The list is sometimes not really necessary. E.g. I haven't noticed any problems using adobe, citrix, vmware or aws, yet - although the list would exclude them.

    I believe the list was created weighing the number of failures (clients that don't support) as well as the risk (likelihood of malware) and performance (the more that isn't decrypted the faster things are).  There is a risk matrix so some things might be added due to low risk rather than problems.  For example, we have always had an exception to https scanning and av scanning for microsoft.com because the risk is low.  If, for exa

    - I'm simply interested in this stuff from a security and web architecture perspective and as long as this is manageable with little time I happy with it.

    There are some "set and forget" and some "ooohhh! more buttons and knobs to play with" admins.  I am also someone interested in this stuff, so I'm lucky I get to work in it.