What's the simplest way to block a Top-Level-Domain (*.ru/* for example )in web protection?

I know this works in UTM hoping XG

https?://[A-Za-z0-9.-]*\.ru/

or

http?://[A-Za-z0-9.-]*\.ru/

You can also use country blocking, you may be aware but figure I would mention it.

Badrobot said:

 https?://[A-Za-z0-9.-]*\.ru/

http?://[A-Za-z0-9.-]*\.ru/

If working with this REGEX Snippets, then the pattern for an URL with Path behind should be added as well (for Example mydomain.ru/mypage/index.php wouldnt be affected by this REGEX Snippets above). Afterwards this Regex Snippet can be used to create an URL Group that afterwards can be used in Webfilter Policy.

By the way... Why do you want to block all *.ru pages? not all of those are bad... I don't se a usecase for something like this :-S

I would be careful of Country Blocking, all be it some are obvious i.e. you probably do not do anything with Russia or China and most businesses are not going to establish a data hub there with all the malicious hacking going on from either of them.  However you need to know your countries if you are doing this, for example Microsoft has data hubs in Singapore, Germany and many other countries that can cause issues with Office 365.  Many AWS servers are not always native to the US either, anyway good practice but don't just blanket the planet, do a few at a time and check things in the logs to see what is being blocked.

Additionally not all .ru servers are in Russia some are based in the US.

Ian

These points are understood. We simply don't do any legit business requiring access to many TLDs. There are many phishing and Emotet download attempts using 3rd-world country domains, for example.

In our business users have no need to be on sites outside Australia, Japan, NZ, Singapore etc so for them to be going to China, Russia, etc is really a no no.

That said we all understand not all these locations host bad content.

An interesting fact from a recent Webroot report:

Russia only hosts 3% of the bad URLs and China 5%

The really worrying thing is:

Clearly the problem is the northern hemisphere.  In fact, given that 63% are hosted in the US, just block that country.  :)

LOL yeah that will fix it.

It's bad enough using Office 365 and with the "Load Balancing" we get our data hitting servers in HK and China (I am in Melbourne)

Then there is TeamViewer with servers all over Europe

A few exceptions need to be created to my world of blocking everything LOL

Seriously though, as a completely separate thing from website categorization there is a large effort within Sophos Labs to block malware URLs and domains.  To this end, everyone should make sure they are always blocking the "Criminal Activities" User Activity (or the categories within it).

https://www.sophos.com/en-us/labs.aspx

As examples, regardless of geography, I don't know where a ".online" or ".loan" domain might be physically hosted but I know my users don't have any business going there.

krebsonsecurity.com/.../

Is there a KB article better describing what the categories contain such as "Criminal Activities"? That's a bit open to interpretation. I'd put all Wall Street banks in there, for example.

There are a hundred categories.  Managing a rule for each separately is complex.  Therefore the categories are grouped together, along with filetypes into "User Activities".

You can go into Web \ User Activities to see the categories in each.

You can go into Web \ Categories and click into a category to get a description.  I think there must be a list somewhere in help or a KB of all the descriptions.  But there is another place to get them.  This site, used for some internal testing, contains a list of categories and descriptions.  Please note that this site has different lists for different products, the list of categories for CWG and XG are the same.

http://www.sophostest.com/cwg/

There are a hundred categories.  Managing a rule for each separately is complex.  Therefore the categories are grouped together, along with filetypes into "User Activities".

You can go into Web \ User Activities to see the categories in each.

You can go into Web \ Categories and click into a category to get a description.  I think there must be a list somewhere in help or a KB of all the descriptions.  But there is another place to get them.  This site, used for some internal testing, contains a list of categories and descriptions.  Please note that this site has different lists for different products, the list of categories for CWG and XG are the same.

http://www.sophostest.com/cwg/

This definition of "Criminal Activities" doesn't seem to like-up with the advice of using this category for malware domains, etc:

Criminal Activity

Includes sites for advocating, instructing, or giving advice on performing illegal acts; tips on evading law enforcement; and lock-picking and burglary techniques.

The User Activity called Criminal Activity contains 7 categories.

One of the categories is also called Criminal Activity.  The description may not be ideal - I know that child porn and other illegal to browse to things are categorized as Criminal Activity.

The other most important category is Spyware and Malware.  This is where a lot of the bad computer security stuff is.

Blocking the entire User Activity is what I recommend.

I will not comment on the decision of naming a User Activity the same as a Category.  :)

Understood. Going to add it. Thanks for your input on the forums!

Ugh!  Just went and looked at some of the backend and mapping.  Again, I will not comment on decisions for naming and inclusion.  :)

Consider blocking User Activity Suspicious.  This is a mix of bad stuff (spam) and not bad stuff (advertising).  Maybe look at the categories inside and make a decision.

I would also personally block these:

Command and Control (if you are using Advanced Threat Protection then this is already blocked.  If you are not then this category takes effect.)

Spam URLs (also part of the User Activity Suspicious)

Hacking