What's the simplest way to block a Top-Level-Domain (*.ru/* for example )in web protection?

I would be careful of Country Blocking, all be it some are obvious i.e. you probably do not do anything with Russia or China and most businesses are not going to establish a data hub there with all the malicious hacking going on from either of them.  However you need to know your countries if you are doing this, for example Microsoft has data hubs in Singapore, Germany and many other countries that can cause issues with Office 365.  Many AWS servers are not always native to the US either, anyway good practice but don't just blanket the planet, do a few at a time and check things in the logs to see what is being blocked.

Additionally not all .ru servers are in Russia some are based in the US.

Ian

These points are understood. We simply don't do any legit business requiring access to many TLDs. There are many phishing and Emotet download attempts using 3rd-world country domains, for example.

In our business users have no need to be on sites outside Australia, Japan, NZ, Singapore etc so for them to be going to China, Russia, etc is really a no no.

That said we all understand not all these locations host bad content.

An interesting fact from a recent Webroot report:

Russia only hosts 3% of the bad URLs and China 5%

The really worrying thing is:

Clearly the problem is the northern hemisphere.  In fact, given that 63% are hosted in the US, just block that country.  :)

LOL yeah that will fix it.

It's bad enough using Office 365 and with the "Load Balancing" we get our data hitting servers in HK and China (I am in Melbourne)

Then there is TeamViewer with servers all over Europe

A few exceptions need to be created to my world of blocking everything LOL

Seriously though, as a completely separate thing from website categorization there is a large effort within Sophos Labs to block malware URLs and domains.  To this end, everyone should make sure they are always blocking the "Criminal Activities" User Activity (or the categories within it).

https://www.sophos.com/en-us/labs.aspx

As examples, regardless of geography, I don't know where a ".online" or ".loan" domain might be physically hosted but I know my users don't have any business going there.

krebsonsecurity.com/.../

Is there a KB article better describing what the categories contain such as "Criminal Activities"? That's a bit open to interpretation. I'd put all Wall Street banks in there, for example.

There are a hundred categories.  Managing a rule for each separately is complex.  Therefore the categories are grouped together, along with filetypes into "User Activities".

You can go into Web \ User Activities to see the categories in each.

You can go into Web \ Categories and click into a category to get a description.  I think there must be a list somewhere in help or a KB of all the descriptions.  But there is another place to get them.  This site, used for some internal testing, contains a list of categories and descriptions.  Please note that this site has different lists for different products, the list of categories for CWG and XG are the same.

http://www.sophostest.com/cwg/