Why "*.discordapp.com" is on the Managed TLS Exclusion List on v18?

Hi together,

I ended up in removing the managed list from the exclusions and build my own specific ones, one for Apple or MS as they contain many domains and the standard local exclusion list for some specific domains/apps etc. which can easily be done in the log viewer.

These are the reasons for my decision:

- The managed list contains many world-wide domains and services I will never ever use. The list will grow continuously and probably adds an overhead in terms of performance.

- There are already some examples in the list that don't make sense, e.g. apple.com is excluded which will contain all subdomains anyway. But some *.apple.com subdomains were added to the list as well... (?)

- As your example with discord shows: The list is sometimes not really necessary. E.g. I haven't noticed any problems using adobe, citrix, vmware or aws, yet - although the list would exclude them.

- I'm simply interested in this stuff from a security and web architecture perspective and as long as this is manageable with little time I happy with it.

Best Regards

Dom

The overall reason for having a "Managed Exclusion List" that is not editable by users is that Sophos can add and remove items from that list without overwriting anything that an admin has done.  If we make the list editable and an admin changes it, then we update the list it would overwrite those changes.

But you don't need to use it.  Just disable the rule and do it yourself.  You can also copy the list of entries to a text file, eliminate the ones you don't want, create a new URL group and a new rule for your own self-managed list.

Also remember that in addition to TLS exclusions there are Web Exceptions which can turn off HTTPS scanning.

Dom Nik said:

These are the reasons for my decision:

- The managed list contains many world-wide domains and services I will never ever use. The list will grow continuously and probably adds an overhead in terms of performance.

I understand the concern - if you don't use xyz service then you don't care if it doesn't work due to decryption and maybe would rather it didn't.  It potentially adds future IT work if you decide to use it later.

As for performance, I've personally done tested TLS exclusions lists of 10,000 URLs and the impact on performance is negligible.

- As your example with discord shows: The list is sometimes not really necessary. E.g. I haven't noticed any problems using adobe, citrix, vmware or aws, yet - although the list would exclude them.

I believe the list was created weighing the number of failures (clients that don't support) as well as the risk (likelihood of malware) and performance (the more that isn't decrypted the faster things are).  There is a risk matrix so some things might be added due to low risk rather than problems.  For example, we have always had an exception to https scanning and av scanning for microsoft.com because the risk is low.  If, for exa

- I'm simply interested in this stuff from a security and web architecture perspective and as long as this is manageable with little time I happy with it.

There are some "set and forget" and some "ooohhh! more buttons and knobs to play with" admins.  I am also someone interested in this stuff, so I'm lucky I get to work in it.

The overall reason for having a "Managed Exclusion List" that is not editable by users is that Sophos can add and remove items from that list without overwriting anything that an admin has done.  If we make the list editable and an admin changes it, then we update the list it would overwrite those changes.

But you don't need to use it.  Just disable the rule and do it yourself.  You can also copy the list of entries to a text file, eliminate the ones you don't want, create a new URL group and a new rule for your own self-managed list.

Also remember that in addition to TLS exclusions there are Web Exceptions which can turn off HTTPS scanning.

Dom Nik said:

These are the reasons for my decision:

- The managed list contains many world-wide domains and services I will never ever use. The list will grow continuously and probably adds an overhead in terms of performance.

I understand the concern - if you don't use xyz service then you don't care if it doesn't work due to decryption and maybe would rather it didn't.  It potentially adds future IT work if you decide to use it later.

As for performance, I've personally done tested TLS exclusions lists of 10,000 URLs and the impact on performance is negligible.

- As your example with discord shows: The list is sometimes not really necessary. E.g. I haven't noticed any problems using adobe, citrix, vmware or aws, yet - although the list would exclude them.

I believe the list was created weighing the number of failures (clients that don't support) as well as the risk (likelihood of malware) and performance (the more that isn't decrypted the faster things are).  There is a risk matrix so some things might be added due to low risk rather than problems.  For example, we have always had an exception to https scanning and av scanning for microsoft.com because the risk is low.  If, for exa

- I'm simply interested in this stuff from a security and web architecture perspective and as long as this is manageable with little time I happy with it.

There are some "set and forget" and some "ooohhh! more buttons and knobs to play with" admins.  I am also someone interested in this stuff, so I'm lucky I get to work in it.