3CX DLL-Sideloading attack: What you need to know
This is more of a FYI then a question. But would like to request FQDN be added to "REMOTE ADDRESS" in windows isolation, and documentation updated for windows isolation exceptions
Windows Isolation Exceptions. Requirements. Direction and Port. Sophos words: You must set at least one of the direction, port or address options.
Teamviewer IPs. Link - Not complete/updatewww.teamviewer.com/.../
TV recommendations - Whitelist FQDN *.teamviewer.comSince Sophos isolation it's not possible to use FQDN, you can only use IPv4, IPv6 or CIDR in the remote address section.Link to subdomains search report *.router.teamviewer.com - This is a way to add it.https://subdomains.whoisxmlapi.com/lookup-report/mwkWKqZPkK
Noted: Since TCP uses HighPort (random) from the link below, that you can leave one port BLANK, or an address. This is not listed in the Isolation Documentation btw.Deal with IPS alerts - Sophos Central Admin
Most TCP connections have a random port number as their origin port. We recommend that you use a local port and add specific protocols (such as RDP (3389) or HTTP (80) traffic) to your allow list.
For example, to allow RDP connections from the administrator’s computer of 10.10.10.15 to other computers, use the following settings:
* one local or remote REQUIRED
Conclusion - Since Teamviewer IPs are not up-to date, and Sophos doesn't allow FQDN, The only rule you can add for teamviewer is the following. (unless you allow LAN connection locally then you would need remote address eg. 10.10.0.0/16)
References: EDR: Instructions Device Isolation on Sophos Central. – Techbast