Creating Blocklists for Sky ATP Email and Malware Management
Use the Modify Blacklist page to add email addresses, IP addresses, and URLs to the blocklist. A blocklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.
Before You Begin
Read the Sky ATP Email Management Overview topic.
Read the Sky ATP Malware Management Overview topic.
Compile a list of known malicious email addresses or domains to add to your blocklist. If an email matches the blocklist, it is considered to be malicious and is handled the same way as an email with a malicious attachment, blocked and a replacement email is sent. If an email matches the allowlist, that email is allowed through without any scanning.
It is worth noting that attackers can easily fake the “From” email address of an email, making blocklists a less effective way to stop malicious emails.
Decide on the type of location you intend to define: URL or IP address.
Review the current list of entries to ensure that the item you are adding does not already exist.
To configure the blocklists:
- Select Configure>Threat Prevention> Feed Sources.
The Feed Sources page appears.
- Under the Sky ATP tab, right-click the Sky ATP realm or
from the More list, select Blacklist.
The Modify Blacklist page appears.
- Click the + sign to add more entries to the blocklist.
- Complete the configuration by using the guidelines in Table 1.
- Click OK.
Table 1: Fields on the Modify Blacklist Page
The allowed email senders are listed here.
To add more email senders to the blocklist, click the + sign.
Enter the full address in the format email@example.com or wildcard the name to permit all emails from a specific domain. For example, *@domain.com.
IP and URL
Enter an IP address or a URL.
To edit an existing blocklist entry, select the blocklist that you want to edit and click the pencil icon.
Sky ATP periodically polls for new and updated content and automatically downloads it to your SRX Series device. There is no need to manually push your blocklist files.