Question

Web Gateway Test

  • 5 February 2024
  • 4 replies
  • 45 views

Badge

Hello,

 

We are running a web gateway test, and having looked at the results, a lot of the test results, should have been blocked by Defender, however they are being allowed - I have checked our EDR and Attack Surface policy and everything is switched on. 

 

Does anyone have any ideas why the Web Gateway is showing so many high fails. 


4 replies

Userlevel 3
Badge +3

Hello @CDT 

In what kind of category do you see these false negative results ?

Do you see “allowed” results when actually they are blocked in your WG?

Badge

Hi Shiraz,

 

I am seeing them in Files and Files Policy categories. 

Userlevel 3
Badge +3

@CDT and do you see “allowed” results when actually they are blocked in your WG?

Badge

Hi,

File types are unlikely to be blocked by endpoint protection, such as defender. It would need to use host based decryption of the data stream from the site where the file is being downloaded from,  so it can be inspected before it reaches the cymulate machine.  Ideally, you would force all such requests through a web proxy that uses deep packet inspection - the proxy would install its own certificate on the website so it can decrypt the traffic and look for file types or malicious code.

Hope that helps.

Richard

Reply