How to provide malicious domain/URL’s to VMware Technical Support for NSX Threat Response requests
Article ID: 337697
Updated On:
Products
VMware NSX
Issue/Introduction
This article outlines best practices for sending a potentially malicious domain/URL in a Support Request.
VMware Technical Support may occasionally need to collect domain and URL reputation data for investigating False Positive, False Negative, or other detection questions in the NSX product. When providing a link to a potentially malicious domain or URL, it is recommended to “de-fang” the URL to prevent a VMware Technical support engineer from accidentally loading a malicious site.
For submitting malicious files or attachments, see KB: How to provide a Malware Sample to VMware Technical Support for NSX Threat Response requests
VMware Technical Support may occasionally need to collect domain and URL reputation data for investigating False Positive, False Negative, or other detection questions in the NSX product. When providing a link to a potentially malicious domain or URL, it is recommended to “de-fang” the URL to prevent a VMware Technical support engineer from accidentally loading a malicious site.
For submitting malicious files or attachments, see KB: How to provide a Malware Sample to VMware Technical Support for NSX Threat Response requests
Environment
VMware NSX-T Data Center
Resolution
Details:
Occasionally a domain or URL will be needed in order to further investigate support requests on:
There are two options we recommend when including a URL/domain in the description or comments of a Support Request:
Option 1: Defang the URL:
This is a best practice that is very helpful to follow when dealing with suspicious or malicious URL’s. There is also a chance that the support engineer working the Support Request can mistakenly click the URL by mistake. Defanging a URL is a technique that prevents URL’s from being “clickable”, and we change the HTML part of the URL so it’s still readable to the human eye but is not clickable.
To defang a URL, replace the “t” in http and wrap the “.” (period) in square brackets. For example, you could change the URL:
Option 2: Insert URL into a password-protected archive:
Occasionally a domain or URL will be needed in order to further investigate support requests on:
- False positives (FP)
- False negatives (FN)
- General questions on detection coverage
There are two options we recommend when including a URL/domain in the description or comments of a Support Request:
- Defang the URL
- Insert the URL into a text file and create a password protected archive
Option 1: Defang the URL:
This is a best practice that is very helpful to follow when dealing with suspicious or malicious URL’s. There is also a chance that the support engineer working the Support Request can mistakenly click the URL by mistake. Defanging a URL is a technique that prevents URL’s from being “clickable”, and we change the HTML part of the URL so it’s still readable to the human eye but is not clickable.
To defang a URL, replace the “t” in http and wrap the “.” (period) in square brackets. For example, you could change the URL:
Original: “https://www.example-malicious-domain.com/"
and replace with
Defanged URL: "hXXps://www.example-malicious-domain[.]com/"
and replace with
Defanged URL: "hXXps://www.example-malicious-domain[.]com/"
Option 2: Insert URL into a password-protected archive:
- Put the URL in question in an encrypted ZIP archive with password "infected" - any other password you prefer can also be used, but please share it with the support engineer
- Upload the password-protected archive on the specific SR in Broadcom support portal by following the below kb
https://knowledge.broadcom.com/external/article?legacyId=2069559 - In the Support Request, please provide additional details on your FP/FN assessment or threat issue.
Feedback
Yes
No
Powered by
