Web Gateway Test

  • 5 February 2024
  • 4 replies




We are running a web gateway test, and having looked at the results, a lot of the test results, should have been blocked by Defender, however they are being allowed - I have checked our EDR and Attack Surface policy and everything is switched on. 


Does anyone have any ideas why the Web Gateway is showing so many high fails. 


Best answer by cymulate_user_31 15 February 2024, 12:19

View original

4 replies

Userlevel 3
Badge +3

Hello @CDT 

In what kind of category do you see these false negative results ?

Do you see “allowed” results when actually they are blocked in your WG?


Hi Shiraz,


I am seeing them in Files and Files Policy categories. 

Userlevel 3
Badge +3

@CDT and do you see “allowed” results when actually they are blocked in your WG?



File types are unlikely to be blocked by endpoint protection, such as defender. It would need to use host based decryption of the data stream from the site where the file is being downloaded from,  so it can be inspected before it reaches the cymulate machine.  Ideally, you would force all such requests through a web proxy that uses deep packet inspection - the proxy would install its own certificate on the website so it can decrypt the traffic and look for file types or malicious code.

Hope that helps.