Keepnet Tools Whitelisting Guidelines

It's important to note that both the Phishing Reporter and Diagnostic Tool are legitimate and secure applications developed by Keepnet Labs. They have been thoroughly tested and should not trigger any issues with Antivirus or Endpoint Detection and Response (EDR) solutions under normal circumstances.

However, specific configurations or strict policies within Antivirus, EDR, or other security tools may sometimes lead to these applications being blocked or their functionality being restricted. This can occur despite the applications being entirely safe and free of malicious code. It is these particular scenarios that the "Keepnet Labs Tools Whitelisting Guidelines" document aims to address.

By following the steps outlined in this guide, including the calculation and whitelisting of the unique hash of the downloaded files, customers can ensure the seamless operation of the Phishing Reporter and Diagnostic Tool within their unique security environments.

Indeed, each enterprise has a unique set of security tools and configurations in place to secure its environment. These tools, while effectively preventing threats, can sometimes interfere with legitimate applications and tools such as the Phishing Reporter and Diagnostic Tool from Keepnet Labs. They may hinder these applications' functionality or block their network communications.

To address this issue, Keepnet Labs recommends a Proof of Concept (PoC) test where enterprises can see how their security solutions interact with the Phishing Reporter and Diagnostic Tool. This PoC allows Keepnet Labs and the enterprise to identify potential conflicts, adjust settings, or create necessary exceptions to ensure the tools work smoothly.

However, in cases where enterprises want to ensure the uninterrupted operation of Keepnet Labs' tools, a whitelisting document is provided. This document is a comprehensive list of all the potential tools and configurations that may need to be adjusted to allow for full functionality. By following the whitelisting document, enterprises can ensure that the Phishing Reporter and Diagnostic Tool will operate as intended within their network environment.

Understanding the Phishing Reporter and Diagnostic Tool

Phishing Reporter is a tool that allows users to easily report suspicious emails and contribute to the organization's security by reinforcing its human firewall. By installing this tool on their devices, users have a straightforward mechanism to report potentially harmful emails directly from their mailbox interface. Phishing Reporter communicates with the Keepnet Labs platform via the https://api.keepnetlabs.com/api/* network route.

Diagnostic Tool is an auxiliary service as part of the Phishing Reporter suite. It is designed to help troubleshoot potential issues with the Phishing Reporter. When issues arise, the Diagnostic Tool gathers necessary system information to assist Keepnet Labs' support teams to quickly identify and solve the problem. This tool also uses the same network route as the Phishing Reporter, i.e., https://api.keepnetlabs.com/api/*.

Essential Whitelisting Checklist for Security Software

The below checklist provides a guideline for the whitelisting process in different security software categories:

It's critical to verify the integrity of the downloaded Phishing Reporter and Diagnostic Tool through their unique hash values. Once you download these applications, you should calculate their hash and whitelist this hash value in the respective security solutions. This process ensures that you're using the legitimate version of the tools and it hasn't been tampered with during the download process.

Here's how you can calculate the hash of a file on different platforms:

Replace 'yourfilename.exe' with the actual filename of the downloaded file.

• Windows: You can use the built-in 'CertUtil' tool. Open the Command Prompt, navigate to the directory where your file is located, and then use the following command:

  • certutil -hashfile yourfilename.exe SHA256

• Linux: The 'sha256sum' tool is usually available by default. Open the terminal, navigate to the directory containing the file, and then use the following command:

  • sha256sum yourfilename

• Mac OS: You can use the built-in 'shasum' command. Open the Terminal, navigate to the directory where your file is located, and then use the following command:

  • shasum -a 256 yourfilename

Whitelisting Procedures for Various Security Products

1. Symantec Antivirus

Symantec Antivirus provides both file and network-based protection. Therefore, you need to whitelist the application executables as well as the network communications.

• File-Based Exceptions: Open your Symantec Antivirus, go to Settings > Exceptions > Add Exception > Security Risk Exception > File. Then, locate the Phishing Reporter and Diagnostic Tool executables and add them as exceptions. Please ensure to verify the hash of the downloaded files to ensure their integrity.

• Network-Based Exceptions: Go to Settings > Exceptions > Add Exception > Security Risk Exception > Known Risk. Add https://api.keepnetlabs.com/api/* to the exceptions to ensure that network communications are not blocked.

2. Palo Alto Proxy

To whitelist network communications in Palo Alto Proxy, you need to create a custom URL category.

• Custom URL Category: Go to Objects > Custom Objects > URL Category > Add. Name the new category (e.g., "Keepnet Labs"). In the Sites section, add *.keepnetlabs.com/*. Apply the changes.

• URL Filtering: Create or modify a URL Filtering profile to allow the new custom URL category. This can be done in Objects > Security Profiles > URL Filtering.

3. Forcepoint DLP

For Forcepoint DLP, create a new rule to allow data to be sent to Keepnet Labs' server.

• New Rule: Go to DLP Policy Manager > File > New > DLP Policy > Rule > Add. In the new rule, set "Endpoint" as the Data Endpoint. Under "Destinations", add https://api.keepnetlabs.com/api/*. Under "Actions", select "Allow". Name and save the new rule.

4. CrowdStrike Falcon

CrowdStrike Falcon uses a cloud-based system to handle threats. Whitelisting can be done through the Falcon console.

• Prevention Policy Whitelisting: Log into the Falcon console. Navigate to Configuration > Prevention Policies. Select the policy to which you wish to add the exceptions. Under the 'Exclusions' section, click on 'Add New' > 'File'. In the dialog box, enter the SHA-256 hash of the Phishing Reporter and Diagnostic Tool files. Make sure to calculate the hash of the downloaded files to ensure their integrity. Set the 'Type' as 'Whitelist' and the 'Platform' as per your environment (Windows, Linux, or macOS). Add a description for your reference, and save the changes.

• Network Whitelisting: In the same policy configuration, navigate to the 'IOCs' section. Click on 'Add New' > 'Indicator'. Add https://api.keepnetlabs.com/api/* as an Indicator, select 'Network' as the type, and select 'Whitelist' as the action. Save the changes.

Need Help? Contact Support Team

For additional assistance or questions regarding the implementation and usage of our products, please contact our support team at support@keepnetlabs.com. Keepnet Labs is committed to supporting our customers at every step, providing necessary insights and assistance to ensure the successful implementation and usage of our products.