About allow lists
Allow lists help to reduce the number of false-positive [FP] scan verdicts. A false-positive verdict is when a malicious or spam verdict is assigned to a scan, but where the correct verdict is clean. Allow lists are typically implemented when some aspect of the email, file, or URL that is to be scanned, is trustworthy. For example, the email may be sent from an known and trusted email address, or from an IP address that can be trusted.
For most of the allow lists, you'll need to specify either that:
the spam scan engines will not be applied - and spam verdicts are therefore not possible,
or
that no scan is performed at all, and a clean verdict is applied.
Note: If the same item is included in both an allow list and a block list, the allow list will take precedence. |
Types of allow lists
You can configure various allow lists in Perception Point X-Ray:
Sender email address allow list: | When an email is received from an email address that is included in the "Sender email address allow list", then you can select to: not scan the email, and set the scan verdict to clean. or scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible. |
Recipient email address allow list: | When an email is sent to an email address that is included in the "Recipient email address allow list", then you can select to: not scan the email, and set the scan verdict to clean. or scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible. |
Sender IP allow list: | When an email is received from an IP address that is included in the "Sender IP allow list", then you can select to: not scan the email, and set the scan verdict to clean. or scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible. |
URL allow list: | When a URL that is included in the "URL allow list" should possibly be scanned, then you can select to: not scan the URL, and set the scan verdict to clean. or scan the URL- without applying the spam scanning engines. A spam verdict is therefore not possible. |
Hash allow list: | When file should possibly be scanned, if the hash of the file is included the "hash allow list," then the file will not be scanned, and the scan verdict will be set to clean. |
The Allow List/Block List page is available to admin users with the "Cyber Analyst" role [or higher] only. |
Note It is possible to perform a bulk import of allow list entries. For details, contact Perception Point Support [support@perception-point.io]. |
For details about blocklists, see "Block lists" on page 86.
Propagating allow lists from a parent organization to child organizations
All allow list entries that are configured in a parent organization are applied to the child organizations as well.
Note: Allow list entries that are propagated from a parent organization are not visible in the child organizations. |
If you want to add an allow list entry to a specific child organization only, make sure to select that child organization when you configure the new allow list entry.
Global allow lists
Perception Point X-Ray maintains global allow lists - with entries that apply to all organizations. Entries in globally maintained allow lists do not appear in the allow lists of your organization. When you add an entry to an allow list, you'll know that the entry was added successfully only if you see a "successfully added" message, similar to the following:
If you add an entry, and a "successfully added" user notification doesn't appear, this may indicate that the entry is included in the globally maintained allow list. The entry that you tried to add therefore won't appear in the allow list for your organization.
Bulk import of allow list entries
It is possible to perform a bulk import of allow list entries. This import procedure can be performed by Perception Point Support only.
[See the "Suggested email template" on page 71 below]
When you request Perception Point Support [support@perception-point.io] to perform a bulk addition of allow list entries, you'll need to:
Specify the name of the organization in Perception Point X-Ray to which the allow-list entries will be added.
Specify to which allowlist to add the entries [such as Sender email address, Recipient email address, or Sender IP allow list]. Send a separate file for each allowlist.
Supply a simple list or a CSV file that includes the required information.
Note: For domains, don't include a wildcard character [*], a period [.], or an at sign [@] before the domain. For example, *acme.com and *.acme.com and @acme.com are not valid formats. Email addresses should be the email address only - without the sender name. |
Specify whether the "No review - always allow" or the "Review if Malicious (allow if spam)" option should be configured as the "verdict" in the allow list:
No review - always allow: No scan is performed at all, and a clean verdict is always applied.
or
Review if Malicious (allow if spam): The spam engines will not be applied during a scan - and spam verdicts are therefore not possible. The malicious engines are applied.
For "sender email address allow lists" - specify to disable SPF checks for the new entries. For details, see "Disable IP/SPF Check" on page 76 below.
Send the allow lists to: Perception Point Support [support@perception-point.io]
For security reasons, Perception Point Support may advise you to:
limit the number of entries that you request to be added to an allow list.
review the list because it contains problematic entries, such as domains that are often abused for credential phishing attacks and scams.
In addition to importing allow lists, Perception Point Support can also import block lists. If Perception Point Support will be importing an allow list and a block list for your organization, include the allow list and block list in separate files. For details about importing bulk block list entries, see "Bulk import of block list entries" on page 88.
Suggested email template
Subject: Bulk import of allow list entries |
Hi Perception Point Support Team Please add the attached allowlist entries, using the following settings: Organization name: Allow list: Verdict option: "No review - always allow" or "Review if Malicious (allow if spam)" SPF checks: Enable or Disable Please let us know when this has been done. Thank you |
For further details about bulk importing of allow list entries, contact Perception Point Support [support@perception-point.io].
Configuring the "sender email address allow list"
When an email is received from an email address that is included in the "Sender email address allow list", then you can select to:
not scan the email, and set the scan verdict to clean.
or
scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible.
Follow the procedure below to allow-list sender email addresses and sender domains [such as acme.com].
Note: When an SPF check is performed, if the sender fails the SPF check, the email will not be allow-listed [even though it is on the allow list], and may be assigned a malicious or spam verdict. This is done to prevent possible spoofing attempts. For further details, see "Disable IP/SPF Check" on page 76 below. |
To add an entry to the "sender email address allow list":
In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.
Click Add Address on the right of "Sender Email Address Allow List".
Configure the required settings.
Organization | Select the organization to which the allow list applies.
| ||
Sender Email Address | Specify the email address of the sender. Emails from this sender email address will be allow-listed. You can also specify a domain, such as acme.com. All email addresses inside the domain will be included in the allow list. For example, if you specify acme.com: All sub-domains in the "acme.com" domain will be included in the list. This includes sub-domains such as legal.acme.com and drivers.acme.com Don't include a wildcard character [*], a period [.], or an at sign [@] before the domain. For example, *acme.com and *.acme.com and @acme.com are not valid formats. Domain names are not case-sensitive.
| ||
Verdict | Specify which scans will be performed on emails and URLs that satisfy this allow-list entry: No review - always allow: The email or URL will not be scanned, and the scan verdict will be set to clean. No links in the email will be clicked. Review if Malicious (allow if spam): The email or URL will be scanned: The spam scanning engines won't be applied. A spam verdict is therefore not possible. The malicious scanning engines will be applied. If the initial verdict is malicious, the scan will maintain its malicious verdict.
Note about restricted files Scans of emails that include restricted files [that is, attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types] will be handled as follows, depending on the option that you select: No review - always allow: The scan will be set to clean. Review if Malicious (allow if spam): The scan will be set to restricted, malicious, or clean - but never spam. For details about restricted file types, see Restricted file types. | ||
Comment | Add an optional comment. | ||
Disable IP/SPF Check | When this option is selected, no IP/SPF checks will be performed for this email address - for the verdicts that are specified above [No review - always allow or Review if Malicious (allow if spam)]. Select this option when the sender has not set up an SPF record or the SPF record is broken or incorrectly configured.
See also: About SPF checks
|
Click Add Sender Email Address.
Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your allow list, this may indicate that the entry is included in the globally maintained allow list. For details, see "Global allow lists" on page 70. |
Configuring the "recipient email address allow list"
When an email is sent to an email address that is included in the "Recipient email address allow list", then you can select to:
not scan the email, and set the scan verdict to clean.
or
scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible.
To add an entry to the "recipient email address allow list":
In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.
Click Add Address on the right of "Recipient Email Address Allow List".
Configure the required settings.
Organization | Select the organization to which the allow list applies.
| |
Recipient Email Address | Specify the email address of the recipient. Emails to this recipient will be allow-listed. If you need to include a wildcard character [*] in the definition of an allow list, contact Perception Point support for assistance. | |
Verdict | Specify which scans will be performed on emails and URLs that satisfy this allow-list entry: No review - always allow: The email or URL will not be scanned, and the scan verdict will be set to clean. No links in the email will be clicked. Review if Malicious (allow if spam): The email or URL will be scanned: The spam scanning engines won't be applied. A spam verdict is therefore not possible. The malicious scanning engines will be applied. If the initial verdict is malicious, the scan will maintain its malicious verdict.
Note about restricted files Scans of emails that include restricted files [that is, attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types] will be handled as follows, depending on the option that you select: No review - always allow: The scan will be set to clean. Review if Malicious (allow if spam): The scan will be set to restricted, malicious, or clean - but never spam. For details about restricted file types, see Restricted file types. | |
Comment | Add an optional comment. |
Click Add Recipient Email Address.
Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your allow list, this may indicate that the entry is included in the globally maintained allow list. For details, see "Global allow lists" on page 70. |
Configuring the "sender IP allow list"
When an email is received from an IP address that is included in the "Sender IP allow list", then you can select to:
not scan the email, and set the scan verdict to clean.
or
scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible.
To add an entry to the sender IP allow list:
In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.
Click Add IP on the right of "Sender IP Allow List".
Configure the required settings.
Organization | Select the organization to which the allow list applies.
| |
Sender IP | Specify the IP address of the sender. Emails from this sender IP address will be allow-listed. If you need to include a wildcard character [*] in the definition of an allow list, contact Perception Point Support [support@perception-point.io] for assistance. By default, for security reasons, allow-listing a subnet [range] is not recommended. For possible implementation details, contact Perception Point Support [support@perception-point.io]. | |
Verdict | Specify which scans will be performed on emails and URLs that satisfy this allow-list entry: No review - always allow: The email or URL will not be scanned, and the scan verdict will be set to clean. No links in the email will be clicked. Review if Malicious (allow if spam): The email or URL will be scanned: The spam scanning engines won't be applied. A spam verdict is therefore not possible. The malicious scanning engines will be applied. If the initial verdict is malicious, the scan will maintain its malicious verdict.
Note about restricted files Scans of emails that include restricted files [that is, attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types] will be handled as follows, depending on the option that you select: No review - always allow: The scan will be set to clean. Review if Malicious (allow if spam): The scan will be set to restricted, malicious, or clean - but never spam. For details about restricted file types, see Restricted file types. | |
Comment | Add an optional comment. |
Click Add Sender IP.
Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your allow list, this may indicate that the entry is included in the globally maintained allow list. For details, see "Global allow lists" on page 70. |
Configuring the "URL allow list"
By default, when Perception Point X-Ray scans an email, Perception Point X-Ray "clicks" each URL that is included in the email - and then scans the URL to check if the URL is safe. Although this is the desired behavior from a security perspective, it can result in various undesired scenarios, such as:
clicking one-time links - that are thereafter not available to the email recipients
clicking unsubscribe links
To prevent the above scenarios, you can include a list of URLs in the "URL allow list". Then, when any of these URLs is included in an email, you can configure Perception Point X-Ray to:
not scan the URL, and set the scan verdict to clean. The associated link is therefore not "clicked".
or
scan the URL - without applying the spam scanning engines. A spam verdict is therefore not possible. The associated link will be "clicked".
Alternatively, you can prevent Perception Point X-Ray from "clicking" every URL that is included in scanned emails. For details, see Detection. However, this option prevents Perception Point X-Ray from "clicking" every URL that is included in ALL scanned emails - which may not be ideal from a security perspective.
Note: "URL follow allow lists" have been deprecated. Existing "URL follow allow lists" will remain functional - but they can't be viewed or edited. For assistance with existing URL follow allow lists, contact Perception Point Support [support@perception-point.io]. The deprecated "URL follow allow list" functionality is replaced by "URL allow lists." |
To add an entry to the "URL allow list":
In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.
Click Add URL on the right of "URL Allow List".
Configure the required settings.
Organization | Select the organization to which the allow list applies.
| ||
URL | Specify the URL of sites that will be allow-listed. Use Method below to define how the URL string should be applied. | ||
Method | Specify how the URL string defined above should be applied to determine which URLs to allow-list: Starts with: A URL will be allow-listed if the URL starts with the URL string specified above. In: A URL will be allow-listed if the URL includes the complete URL string specified above.
Domain ends with: A URL will be allow-listed if the URL ends with the URL string specified above. Wildcard: An asterisk [*] included in the URL string above acts as a wildcard - representing any set of characters. If Wildcard is not selected, then an asterisk in the URL acts as an asterisk, and not as a wildcard. If Wildcard is selected, but no asterisk [*] is specified in the URL string above, then each URL will be evaluated as if the "Exact" method has been selected.
Exact: A URL will be allow-listed if the URL is the exact URL string specified above. | ||
Verdict | Specify which scans will be performed on emails and URLs that satisfy this allow-list entry: No review - always allow: The email or URL will not be scanned, and the scan verdict will be set to clean. No links in the email will be clicked. Review if Malicious (allow if spam): The email or URL will be scanned: The spam scanning engines won't be applied. A spam verdict is therefore not possible. The malicious scanning engines will be applied. If the initial verdict is malicious, the scan will maintain its malicious verdict.
Note about restricted files Scans of emails that include restricted files [that is, attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types] will be handled as follows, depending on the option that you select: No review - always allow: The scan will be set to clean. Review if Malicious (allow if spam): The scan will be set to restricted, malicious, or clean - but never spam. For details about restricted file types, see Restricted file types. | ||
Apply to all channels | Select "Apply to all channels" so that the allow list will apply to scans that originate from any channel. - or - Clear "Apply to all channels" and then select the channels to which the allow list will apply. | ||
Comment | Add an optional comment. |
Click Add URL.
Note: If you don't see a "successfully added" user notification, and if the URL that you tried to add doesn't appear in your URL allow list, this may indicate that the URL is included in the globally maintained URL allow list. For details, see "Global allow lists" on page 70. |
Configuring the "hash allow list"
When a file should possibly be scanned, if the hash of the file is included in the "hash allow list," then the file won't be scanned, and the scan verdict will be set to clean.
To add an entry to the hash allow list:
In Perception Point X-Ray, in the left navigation menu, select Detection Setup > Allow List / Block List.
Click Add Hash on the right of "Hash Allow List".
Configure the required settings.
Organization | Select the organization to which the allow list applies.
| |
SHA256 | Specify the hash value. Any file with this hash value will not be scanned, and the scan verdict will be set to clean. | |
Comment | Add an optional comment. |
Click Add SHA256.
Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your allow list, this may indicate that the entry is included in the globally maintained allow list. For details, see "Global allow lists" on page 70. |
Reference
https://docs.perception-point.io/WP/Content/PP/Blocklists.htm
Acronis: https://docs.perception-point.io/acronis/Content/PP/Blocklists.htm
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article