Block lists

Modified on Thu, 22 Aug at 5:22 PM

About block lists

Block lists help to reduce the number of false-negative scan verdicts. If an email scan or a URL scan is initially assigned a clean verdict, you can use a block list to define that the scan verdict should be changed to malicious or spam - if the email or URL meets specified requirements.

Note: If the same item is included in both an allow list and a block list, the allow list will take precedence.

Types of block lists

You can configure various block lists in Perception Point X-Ray:

Sender email address block list

When an email is scanned, and the scan verdict is clean, if the email is sent from an email address that is included in the "Sender email address block list", then the scan verdict will be set to malicious or spam.

Sender IP block list

When an email is scanned, and the scan verdict is clean, if the email is sent from an IP address that is on the "Sender IP block list", then the scan verdict will be set to malicious or spam.

URL block list

When a URL is scanned, and the scan verdict is clean, if the URL is included in the URL block list, then the scan verdict will be set to malicious or spam.

Hash block list

When a file should possibly be scanned, if the SHA-256 hash of the file is included in the "hash block list," then the file won't be scanned, and the scan verdict will be set to malicious.

When you define an entry in each of the block lists above, you define if the scan verdict should be changed to malicious or spam.

The Allow List/Block List page is available to admin users with the "Cyber Analyst" role [or higher].

Note: It is possible to perform a bulk import of block list entries. For details, see "Bulk import of block list entries" on page 89 below, or contact Perception Point Support [support@perception-point.io].

For details about allow lists, see "Allow lists" on page 69.

Global block lists

Perception Point X-Ray maintains global block lists - with entries that apply to all organizations. Entries in globally maintained block lists do not appear in the block lists of your organization - these global entries are visible internally to Perception Point only.

When you add an entry to a block list, you'll know that the entry was added successfully only if you see a "successfully added" message, similar to the following:

If you add an entry, and a "successfully added" user notification doesn't appear, this may indicate that the entry is included in the globally maintained block list. The entry that you tried to add therefore won't appear in the block list for your organization. For further details, contact Perception Point Support [support@perception-point.io].

Propagating block lists from a parent organization to child organizations

All blocklist entries that are configured in a parent organization are applied to the child organizations as well.

Note: Block list entries that are propagated from a parent organization are not visible in the child organizations.

If you want to add a block list entry to a specific child organization only, make sure to select that child organization when you configure the new block list entry.

Bulk import of block list entries

It is possible to perform a bulk import of block list entries. This import procedure can be performed by Perception Point Support only.

[See the "Suggested email template" on page 90 below]

When you request Perception Point Support to perform a bulk addition of block list entries, you'll need to:

  • Specify the name of the organization in Perception Point X-Ray to which the block-list entries will be added.

  • Specify to which block list to add the entries [such as Sender email address, Sender IP, or URL block list]. Send a separate file for each block list.

  • Supply a simple list or a CSV file that includes the required information.

Note:

For domains, don't include a wildcard character [*], a period [.], or an at sign [@] before the domain.

For example, *acme.com and *.acme.com and @acme.com are not valid formats.

Email addresses should be the email address only - without the sender name.

  • Specify the verdict that will be applied to scans that are blocked due to the block list, either Malicious or Spam.

  • Send the block lists to: Perception Point Support [support@perception-point.io]

In addition to importing block lists, Perception Point Support can also import allow lists. If Perception Point Support will be importing an allow list and a block list for your organization, include the allow lists and block lists in separate files. For details about importing bulk allow list entries, see "Bulk import of allow list entries" on page 71.

Suggested email template

Subject: Bulk import of blocklist entries

Hi Perception Point Support Team

Please add the attached blocklist entries, using the following settings:

Organization name:

Blockist:

Verdict option: Malicious or Spam

Please let us know when this has been done.

Thank you

For further details about bulk importing of block list entries, contact Perception Point Support [support@perception-point.io].

Configuring the "sender email address block list"

Follow the procedure below to block-list sender email addresses and sender domains [such as acme.com]. When you block-list a domain, all email addresses inside the domain will be included in the block list.

To add an entry to the "sender email address block list":

  1. In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.

  2. On the right of "Sender Email Address Block List", click Add Address.

Configure the required settings.

Organization

If this option appears, select the organization to which the block list applies.

Note:

If you add a block list" entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the block list entry won't be visible in the child organizations.

If you want to add a block list entry to a specific child organization only, select that child organization here.

Sender Email Address

Specify the email address of the sender. Emails that originate from this email address will be block-listed.

You can also specify a domain, such as acme.com. All email addresses inside the domain will be included in the block list.

For example, if you specify acme.com:

All sub-domains in the "acme.com" domain will be included in the list.

This includes sub-domains such as legal.acme.com and drivers.acme.com

Don't include a wildcard character [*], a period [.], or an at sign [@] before the domain.

For example, *acme.com and *.acme.com and @acme.com are not valid formats.

Domain names are not case-sensitive.

Note: In each blocklist entry, you can specify only a single address or domain.

Verdict

Select the verdict that will be applied to scans of emails that were sent from an email address that is included in the "Sender email address" [see above], either Malicious or Spam.

For details on what happens to emails that have been assigned a malicious or spam verdict, see "Verdicts" on page 715.

Comment

Add an optional comment.

Exclude email from the following

When an email is blocked due to this block list definition, then the email will be excluded from the following [as selected]:

Admin alerts: For details, see "Alerts" on page 112.

End user alerts: For details, see "Alerts" on page 112.

Digest reports: For details, see "Sending Digest reports" on page 725.

Click Add Sender Email Address.

Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your block list, this may indicate that the entry is included in the globally maintained block list. For details, see "Global block lists" on page 89.

Configuring the "sender IP block list"

To add an entry to the sender IP block list:

  1. In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.

  2. On the right of "Sender IP Block List", click Add IP.

Configure the required settings.

Organization

If this option appears, select the organization to which the block list applies.

Note:

If you add a block list" entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the block list entry won't be visible in the child organizations.

If you want to add a block list entry to a specific child organization only, select that child organization here.

Sender IP

Specify the IP address of the sender. Emails that originate from this IP address will be block-listed.

By default, block-listing a subnet is not supported. For possible implementation details, contact Perception Point Support [support@perception-point.io].

Verdict

Select the verdict that will be applied to scans of emails that were sent from the "Sender IP" [see above], either Malicious or Spam.

For details on what happens to emails that have been assigned a malicious or spam verdict, see "Verdicts" on page 715.

Comment

Add an optional comment.

Exclude IP from the following

When an email is blocked due to this block list definition, then the email will be excluded from the following [as selected]:

Admin alerts: For details, see "Alerts" on page 112.

End user alerts: For details, see "Alerts" on page 112.

Digest reports: For details, see "Sending Digest reports" on page 725.

Click Add Sender IP.

Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your block list, this may indicate that the entry is included in the globally maintained block list. For details, see "Global block lists" on page 89.

Configuring the "URL block list"

The URL block list includes a list of URLs that are block-listed. The block list will apply to URLs that are included in any of the channels that are specified in the block list.

To add an entry to the "URL block list":

  1. In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.

  2. On the right of "URL Block List", click Add URL.

Configure the required settings.

Organization

If this option appears, select the organization to which the block list applies.

Note:

If you add a block list" entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the block list entry won't be visible in the child organizations.

If you want to add a block list entry to a specific child organization only, select that child organization here.

URL

Specify the URL of sites that will be block-listed. Use Method below to define how the URL string should be applied.

Method

Specify how the URL string defined above should be applied to determine which URLs to block-list:

Starts with: A URL will be block-listed if the URL starts with the URL string specified above.

In: A URL will be block-listed if the URL includes the complete URL string specified above.

Note: This option is available to Perception Point Support only. Contact Perception Point Support [support@perception-point.io] for details.

Domain ends with: A URL will be block-listed if the URL ends with the URL string specified above.

Wildcard: An asterisk [*] included in the URL string above acts as a wildcard - representing any set of characters. If Wildcard is not selected, then an asterisk in the URL string acts as a single asterisk character, and not as a wildcard.

If Wildcard is selected, but no asterisk [*] is specified in the URL string above, then each URL will be evaluated as if the " Exact" method has been selected.

Note: This option is available to Perception Point Support only. Contact Perception Point Support [support@perception-point.io] for details.

Exact: A URL will be block-listed if the URL is the exact URL string specified above.

Apply to all channels

Select "Apply to all channels" so that the block list will be applied to all channels.

- or -

Clear "Apply to all channels" and then select the channels that will be affected by the block list.

Verdict

Select the verdict that will be applied to scans of URLs that are included in "Method" [see above], either Malicious or Spam.

For details on what happens to emails that have been assigned a malicious or spam verdict, see "Verdicts" on page 715.

Comment

Add an optional comment.

Exclude url from the following

When an email is blocked due to this block list definition, then the email will be excluded from the following [as selected]:

Admin alerts: For details, see "Alerts" on page 112.

End user alerts: For details, see "Alerts" on page 112.

Digest reports: For details, see "Sending Digest reports" on page 725.

Click Add URL.

Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your block list, this may indicate that the entry is included in the globally maintained block list. For details, see "Global block lists" on page 89.

Configuring the "hash block list"

When a file should possibly be scanned, if the SHA-256 hash of the file is included in the "hash block list," then the file won't be scanned, and the scan verdict will be set to malicious.

To add an entry to the hash block list:

  1. In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.

  2. Click Add Hash on the right of "Hash Block List".

Configure the required settings.

Organization

If this option appears, select the organization to which the block list applies.

Note:

If you add a block list" entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the block list entry won't be visible in the child organizations.

If you want to add a block list entry to a specific child organization only, select that child organization here.

SHA256

Specify the SHA-256 hash value. Any file with this hash value will not be scanned, and the scan verdict will be set to malicious.

Comment

Add an optional comment.

Click Add SHA256.

Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your block list, this may indicate that the entry is included in the globally maintained block list. For details, see "Global block lists" on page 89.




Reference

https://docs.perception-point.io/WP/Content/PP/Blocklists.htm

Acronis: https://docs.perception-point.io/acronis/Content/PP/Blocklists.htm


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article