In a custom list configuration you define the known and suspected domains and IP addresses for a policy. You add custom lists to a policy. You also select how Enterprise Threat Protector (ETP) handles known or suspected threats to your network. If a domain or IP address is listed in more than one list, ETP performs the policy action with the highest priority. To learn more about policy actions, see Policy actions for lists and threat categories.
|Malware||Domains and IP addresses known or suspected to host malicious software.|
|Phishing||Domains and IP addresses known or suspected to host phishing websites that gather user credential information.|
|Command and Control (C&C)||Domains and IP addresses used by malicious command and control servers.|
|DNS Exfiltration||Domains and IP addresses that serve as a communication channel over DNS. This channel may be used to steal sensitive data or circumvent traditional access restrictions by allowing malware to communicate outside the network.|
|Other||Domains or IP addresses that are not associated with a specific threat category.|
- A top-level domains list contains country-code top-level domains (ccTLD) and generic top-level domains (gTLD). For more information, see Top-level domains list.
- An exception list contains the domains or IP addresses that you want directed to the origin. If ETP proxy is enabled, the domains or IP addresses in this list bypasses ETP Proxy. For more information, see Exception lists.
- A file hash list contains the hashes of files that you don’t want scanned by data loss prevention (DLP). For more information, see File hash lists and Data loss prevention.
When creating any type of custom list, whether it is a custom list, top-level-domains list, or an exception list, each entry is counted. For example, in a custom list, each domain and IP address entry is counted separately. ETP allows you to have a maximum of 200,000 list entries.
Like other configuration changes, you must deploy a new or updated list to the ETP network. Custom lists deploy in the same 20-30 seconds as other configuration changes.