This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why "*.discordapp.com" is on the Managed TLS Exclusion List on v18?

Hi,

 

Nowadays there's lot's of malware going through discord, I would like to know why "discordapp[.]com" is on the Managed TLS Exclusion List.

Currently the DPI Engine of v18 is capable of fully decrypting the connection, of course with the XG CA installed on the machine, so It doesn't make sense having it on the exclusion list. Can we at least be able to edit that list?

 

Here's an example of a malware being sent over discord:

Be careful opening this link, It has been identified as "Troj/Bbindi-W".

https :// cdn [.] discordapp [.] com/attachments/ 14836703273025566/ 714838662537281616/ nexo.exe

 

Since the domain has on the exclusion list, the malware passed through XG without any issue, there has already a SSL/TLS Decrypt Rule in place over the machine that accessed this domain.

 

Thanks!



This thread was automatically locked due to age.
Parents Reply
  • It's probably on the list as when Sophos have been testing they found issues with the description of discord - so to avoid any issues with customers they have had to exclude it from the TLS/SSL side of things.

     

    Problem with discord is that there is no particular IP / Server ranges to exclude apart from the TLD - so it is what it is.

     

    The App may work on Windows - of Android and iPhones....it does not with MITM style attacks.

    Tim Grantham

    Enterprise Architect & Business owner

Children
  • Thanks for the answer.

    Interesting enough, It's been working flawless on Windows/Linux in here.

     

    About the Android/IOS, it's another issue unrelated to the currently one I've asked on this thread. Pretty much all applications on both of them dislikes being MITM. Which is expected.

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • That's because most of the time windows apps pay attention to the additional user installed CAs - which is what's required to do the TLS decryption as you know.

     

    iOS devices work differently, and the apps tend to only pay attention to the system installed FAs - which can be very annoying in MITM situations such as proxy scanners.

     

    Some apps don't even pay attention to the proxy settings - but interestingly some that don't look at the CA when accessing sites decrypted by the XG, will do so when they access the system using a proxy server...

    Tim Grantham

    Enterprise Architect & Business owner