WSS common application bypasses

book

Article ID: 222807

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The WSS Agent provides the ability to add web application executables to a WSS Agent bypass list.

Use Case—Connection Errors

  • Some clients with WSS Agent might not connect to web applications through WSS. This issue is prevalent when WSS is integrated with CloudSOC for CASB inspections.
  • A common lost connection cause is when a thick client pins a certificate. The connection breaks when WSS inserts its own SSL certificate. Dropbox is a prominent thick-client example of this use case.
  • Furthermore, when WSS encounters this issue, it is not able to display response messages to the requesting clients. Nor are any error codes returned. The end user's perspective is that the application is not working, which then instigates support calls and troubleshooting.
  • WSS bypasses or blocks connections from the thick app (for example—Dropbox), but the website (for example—www.dropbox.com) is susceptible to defined WSS policies (content, malware, DLP).

Connections on macOS Big Sur

  • On macOS 11. x (Big Sur), VPN and meeting software might experience connections issues when a network extension such as WSS Agent is installed. You can bypass these applications.

Use Case—Strategic Bypass

Bypass applications (such as a VPN client) to negate having to bypass VPN and SAML IP addresses.

General Rules

  • Prefer using wildcards to entering in multiple distinct paths.
  • For macOS, you should double-asterisk (**) wildcard everything past the .app or .systemextension you are trying to bypass.
  • For Windows, you should double-asterisk (**) wildcard everything within the installation directory to cover all binaries for that application.
  • Group all the paths and certificates for an application in a single "Executable Bypass" in the portal.  You can safely combine both Windows and macOS configurations into a single application.
  • On macOS Big Sur, network extensions get staged into the /Library/SystemExtensions/<OS-DEFINED-HASH>/ directory.  You will need to use a single asterisk (*) to match the OS-defined hash value.
    When entering in paths and certificates to the portal, do not wrap in quotes or try to escape spaces.  Enter the values exactly as provided.

See WSS Agent—Bypass Applications for more information

Resolution

Application List

The following tables can be used to determine a set of application bypasses suitable for that app.  The paths and certificates will include all locations on both macOS and Windows for the applications.

  • To bypass applications on macOS Big Sur, you should be running WSSA 7.3.5 or later.
  • Any applications downloaded from the macOS App Store will be signed by Apple Mac OS Application Signing.  The tables below only include the certificate information for standalone installers.
  • For applications on macOS with a space in their path, certificate validation will only work if running WSSA 7.4.1 or later. To run these bypasses on macOS with WSSA 7.3.x, you will need to select the "None" validation in the WSS portal.
  • Only information from the latest versions of the applications is listed below.  Older versions may install in different locations and/or have different certificates.

VPN Applications

Application
Paths
Certificates
Palo Alto GlobalProtect
  • /Applications/GlobalProtect.app/**
  • /Library/SystemExtensions/*/com.paloaltonetworks.GlobalProtect.client.extension.systemextension/**
  • C:\Program Files\Palo Alto Networks\GlobalProtect\**
  • Developer ID Application: Palo Alto Networks (PXPZ95SK77)
  • Palo Alto Networks
Cisco AnyConnect
  • /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/**
  • /Library/SystemExtensions/*/com.cisco.anyconnect.macos.acsockext.systemextension/**
  • C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\**
  • Developer ID Application: Cisco (DE8Y96K9QP)
  • Cisco Systems, Inc.

Pulse Secure
  • /Applications/Pulse Secure.app/**
  • /Library/Application Support/Pulse Secure/**
  • /Library/SystemExtensions/*/net.pulsesecure.firewall.systemextension.systemextension/**
  • C:\Program Files (x86)\Pulse Secure\**
  • C:\Program Files (x86)\Common Files\Pulse Secure\**
  • Developer ID Application: Pulse Secure LLC (3M2L5SNZL8)
  • Pulse Secure, LLC

 

Video Conferencing Applications

Application
Paths
Certificates
Cisco Webex
  • /Applications/Cisco Webex Meetings.app/**
  • /Users/*/Library/Application Support/WebEx Folder/*/Meeting Center.app/**
  • C:\Users\*\AppData\Local\WebEx\**
  • Developer ID Application: Cisco (DE8Y96K9QP)
  • Cisco WebEx LLC

Microsoft Teams
  • /Applications/Microsoft Teams.app/**
  • C:\Users\*\AppData\Local\Microsoft\Teams\**
  • Developer ID Application: Microsoft Corporation (UBF8T346G9)

  • Microsoft Corporation

Zoom
  • /Applications/zoom.us.app/**
  • C:\Users\*\AppData\Roaming\Zoom\**
  • Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)
  • Zoom Video Communications, Inc.

 

Messaging Applications

Application
Paths
Certificates
Signal
  • /Applications/Signal.app/**
  • C:\Users\*\AppData\**\signal-desktop\Signal.exe
  • Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)
  • Signal Messenger, LLC

Slack
  • /Applications/Slack.app/**
  • C:\Users\*\AppData\Local\slack\**
  • Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)
  • Slack Technologies, Inc.