https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33813#M13417 <HTML><HEAD></HEAD><BODY><P>Hiii <A href="https://community.checkpoint.com/migrated-users/2075">Dameon Welch-Abernathy</A>‌ thanks for the suggestion.</P><P></P><P>Still we unable to block after enabling <STRONG>Process all file types</STRONG> option also.</P><P>As I can see .<STRONG>iso</STRONG>&nbsp;extension is not even on the list also but its block by <STRONG>TE</STRONG> but when I change the extension to .der or .mht&nbsp;then its allow the file to download.</P><P></P><P>Any workaround for this issue.&nbsp;</P><P></P><P>Thanks in Advance&nbsp;</P><P></P><P>#Chinmaya Naik</P></BODY></HTML> Tue, 19 Feb 2019 06:02:56 GMT Chinmaya_Naik 2019-02-19T06:02:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33811#M13415 <HTML><HEAD></HEAD><BODY><P><SPAN style="text-decoration: underline; font-size: 15px;"><STRONG>Setup</STRONG></SPAN></P><P>MGMT Server : Open Server</P><P>Security Gateway : 15600</P><P>TE Appliance</P><P>MTA : Enabled</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Requirement</STRONG></SPAN> <STRONG>:&nbsp;</STRONG>Our requirement is that Threat Emulation or Antivirus should drop the mail if any other or unknown extension is attach in the mail. (Currently Checkpoint TE and AV blade support more than 90 file type [AV] and 65 file type by [TE] )</P><P></P><P><IMG __jive_id="78497" class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/78497_pastedImage_12.png" /></P><P></P><P><STRONG>Seanario1 :</STRONG>&nbsp; Our case we change the extension of malicious file to any known extension as listed on above and send a mail and here <STRONG>AV</STRONG> is able to block the mail.</P><P><STRONG>Seanario2 :</STRONG> Suppose I change the&nbsp; extension to any other or&nbsp;unknown extension of that malicious file then here <STRONG>AV</STRONG> is not able to block that mail.&nbsp;</P><P></P><P><STRONG>Example :</STRONG> File Name : samples.tar (malicious file)</P><P></P><P>INTERNET ----&gt;&nbsp; MAIL (samples.tar mail attatchment ) -----&gt;&nbsp; BLOCK by TE</P><P></P><P>INTERNET ----&gt;&nbsp; MAIL (samples.tar.pdf mail attatchment ) -----&gt;&nbsp; BLOCK by TE&nbsp; (just changing the extension)</P><P></P><P>INTERNET ----&gt;&nbsp; MAIL (<STRONG>samples.tar.mht</STRONG> mail attatchment ) -----&gt;&nbsp; Allow and not able to find any log&nbsp; (just changing the extension)</P><P></P><P>INTERNET ----&gt;&nbsp; MAIL (<STRONG>samples.tar.der</STRONG> mail attatchment ) -----&gt;&nbsp; Allow and not able to find any log&nbsp;</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>NOTE :</STRONG></SPAN> We update the <STRONG>TE engine</STRONG> to version&nbsp; <STRONG><CODE>58.990000298</CODE></STRONG>. (sk92509)</P><P>Installed latest jumbo <STRONG>Take_33</STRONG><STRONG>&nbsp;</STRONG> with <STRONG>MTA take_24</STRONG>.</P><P></P><P></P><P>As per the <STRONG>sk121097</STRONG> (Last update on&nbsp;25-Oct-2017 )</P><P><SPAN style="color: #993366;">Threat Emulation is not scanning files if their extension was changed to unsupported file type&nbsp;is an expected behavior.<BR /></SPAN></P><P></P><P></P><P><SPAN style="color: #0000ff;"><STRONG># Chinmaya Naik</STRONG></SPAN></P></BODY></HTML> Fri, 15 Feb 2019 06:23:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33811#M13415 Chinmaya_Naik 2019-02-15T06:23:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33812#M13416 <HTML><HEAD></HEAD><BODY><P>You realize there's an option to scan all file types with AV, right?</P><P>I'm not aware of an option to block all "unknown" extension types.</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/78527_pastedImage_1.png" /></P></BODY></HTML> Sat, 16 Feb 2019 00:08:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33812#M13416 PhoneBoy 2019-02-16T00:08:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33813#M13417 <HTML><HEAD></HEAD><BODY><P>Hiii <A href="https://community.checkpoint.com/migrated-users/2075">Dameon Welch-Abernathy</A>‌ thanks for the suggestion.</P><P></P><P>Still we unable to block after enabling <STRONG>Process all file types</STRONG> option also.</P><P>As I can see .<STRONG>iso</STRONG>&nbsp;extension is not even on the list also but its block by <STRONG>TE</STRONG> but when I change the extension to .der or .mht&nbsp;then its allow the file to download.</P><P></P><P>Any workaround for this issue.&nbsp;</P><P></P><P>Thanks in Advance&nbsp;</P><P></P><P>#Chinmaya Naik</P></BODY></HTML> Tue, 19 Feb 2019 06:02:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33813#M13417 Chinmaya_Naik 2019-02-19T06:02:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33814#M13418 <HTML><HEAD></HEAD><BODY><P>Offhand don't know, but will ask around <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 19 Feb 2019 16:17:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33814#M13418 PhoneBoy 2019-02-19T16:17:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33815#M13419 <HTML><HEAD></HEAD><BODY><P>As I can see .<STRONG>iso</STRONG>&nbsp;file type is not&nbsp;supported on AV but TE is supported so that file type (.iso) block by<SPAN>&nbsp;</SPAN><STRONG>TE</STRONG><SPAN>&nbsp;</SPAN>but when I change the extension to<SPAN>&nbsp;</SPAN><STRONG>.der</STRONG><SPAN>&nbsp;</SPAN>or<SPAN>&nbsp;</SPAN><STRONG>.mht</STRONG>&nbsp;then its allow the file to download because that two file type is not supported by TE and AV.&nbsp;</P><P></P><P>As per the&nbsp;<STRONG style="background-color: #ffffff; color: #000000; font-size: 14px; ">sk123140&nbsp;</STRONG><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">(How to configure Threat Emulation blade to block files according to file types) but as per our requirement is to block unknown filetype that not listed on AV and TE.</SPAN></P><P></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">Thanks in Advance&nbsp;</SPAN></P><P></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;"><SPAN style="color: #333333;">Hiii&nbsp;<A href="https://community.checkpoint.com/migrated-users/2075">Dameon Welch-Abernathy</A>‌</SPAN>&nbsp;can<SPAN style="color: #333333;"><SPAN> we move this question to sandblast section?</SPAN></SPAN></SPAN></P><P></P><P><STRONG style="background-color: #ffffff; color: #000000; font-size: 14px; ">#Chinmaya Naik</STRONG></P></BODY></HTML> Wed, 20 Feb 2019 06:19:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33815#M13419 Chinmaya_Naik 2019-02-20T06:19:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33816#M13420 <HTML><HEAD></HEAD><BODY><P>Done.</P><P>Still checking with R&amp;D <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Thu, 21 Feb 2019 06:56:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33816#M13420 PhoneBoy 2019-02-21T06:56:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33817#M13421 <HTML><HEAD></HEAD><BODY><P>Thanks <A href="https://community.checkpoint.com/migrated-users/2075">Dameon Welch-Abernathy</A>‌&nbsp; &nbsp;&nbsp;</P><P></P><P>Waiting for your response.</P><P></P><P>#Chinmaya Naik</P></BODY></HTML> Thu, 21 Feb 2019 07:42:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33817#M13421 Chinmaya_Naik 2019-02-21T07:42:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/50499#M13422 <P>Hi, a little late, I realize, but it seems there is an option in the Threat Prevention profile to deal with unknown extensions:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image001.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/751i7482E04654C49D9A/image-size/large?v=v2&amp;px=999" role="button" title="image001.png" alt="image001.png" /></span></P> Wed, 10 Apr 2019 23:34:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/50499#M13422 PhoneBoy 2019-04-10T23:34:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/53003#M13423 <P>Hello,</P><P>&nbsp;</P><P>is there an update to this issue?</P><P>Especially the mht files.</P><P>It seems that the Sandbox mht files does not recognize as files. That means blocking all unknown files does not work since the file is not detected.</P><P>Regards,</P><P>Klaas</P><P>&nbsp;</P> Thu, 09 May 2019 11:09:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/53003#M13423 Klaas 2019-05-09T11:09:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/53014#M13424 The sandbox cannot emulate "unknown" file types but AV should block them if so configured.<BR />If you've configure AV and the Threat Prevention profile as pictured above and it is still getting through, please open a TAC ticket. Thu, 09 May 2019 13:36:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/53014#M13424 PhoneBoy 2019-05-09T13:36:23Z