Why "*.discordapp.com" is on the Managed TLS Exclusion List on v18?

Question

Hi, 
 
 Nowadays there's lot's of malware going through discord, I would like to know why "discordapp[.]com" is on the Managed TLS Exclusion List. 
 
 Currently the DPI Engine of v18 is capable of fully decrypting the connection, of course with the XG CA installed on the machine, so It doesn't make sense having it on the exclusion list. Can we at least be able to edit that list? 
 
 Here's an example of a malware being sent over discord: 
 Be careful opening this link, It has been identified as "Troj/Bbindi-W". 
 https :// cdn [.] discordapp [.] com/attachments/ 14836703273025566/ 714838662537281616/ nexo.exe 
 
 Since the domain has on the exclusion list, the malware passed through XG without any issue, there has already a SSL/TLS Decrypt Rule in place over the machine that accessed this domain. 
 
 Thanks!

Michael Dunn · Accepted Answer

The overall reason for having a "Managed Exclusion List" that is not editable by users is that Sophos can add and remove items from that list without overwriting anything that an admin has done. If we make the list editable and an admin changes it, then we update the list it would overwrite those changes. 
 But you don't need to use it. Just disable the rule and do it yourself. You can also copy the list of entries to a text file, eliminate the ones you don't want, create a new URL group and a new rule for your own self-managed list. 
 Also remember that in addition to TLS exclusions there are Web Exceptions which can turn off HTTPS scanning. 
 
 Dom Nik said: 
 These are the reasons for my decision: 
 - The managed list contains many world-wide domains and services I will never ever use. The list will grow continuously and probably adds an overhead in terms of performance.

I understand the concern - if you don't use xyz service then you don't care if it doesn't work due to decryption and maybe would rather it didn't. It potentially adds future IT work if you decide to use it later. 
 As for performance, I've personally done tested TLS exclusions lists of 10,000 URLs and the impact on performance is negligible. 
 
 - As your example with discord shows: The list is sometimes not really necessary. E.g. I haven't noticed any problems using adobe, citrix, vmware or aws, yet - although the list would exclude them. 
 
 I believe the list was created weighing the number of failures (clients that don't support) as well as the risk (likelihood of malware) and performance (the more that isn't decrypted the faster things are). There is a risk matrix so some things might be added due to low risk rather than problems. For example, we have always had an exception to https scanning and av scanning for microsoft.com because the risk is low. If, for exa 
 
 - I'm simply interested in this stuff from a security and web architecture perspective and as long as this is manageable with little time I happy with it. 
 
 There are some "set and forget" and some "ooohhh! more buttons and knobs to play with" admins. I am also someone interested in this stuff, so I'm lucky I get to work in it.

BLS · Answer

It's probably on the list as when Sophos have been testing they found issues with the description of discord - so to avoid any issues with customers they have had to exclude it from the TLS/SSL side of things. 
 
 Problem with discord is that there is no particular IP / Server ranges to exclude apart from the TLD - so it is what it is. 
 
 The App may work on Windows - of Android and iPhones....it does not with MITM style attacks.