topic Re: MTA AV Exceptions in Firewall and Security Management

MTA AV Exceptions

Shahar_Grober — Mon, 25 Mar 2019 10:02:39 GMT

Hi, AV in MTA is blocking one of our emails coming from a trusted source This is a False positive. The only option I see to exclude the sender Mail Adress is in IPS profile --> Threat Emulation --> Excluded Mail Adresses. Is there a way to exlude Emails from MTA scanning until the issue is resolved with the AV?

Re: MTA AV Exceptions

PhoneBoy — Mon, 25 Mar 2019 13:48:05 GMT

Seems to me you could create a modified Threat Prevention policy to do this, where traffic coming from your partners SMTP server doesn't have AV applied…

Re: MTA AV Exceptions

Shahar_Grober — Tue, 26 Mar 2019 10:00:05 GMT

The problem is that the traffic is incoming from the mail relay The AV MTA doesn't have a way to exclude email addresses (in opposite to TE MTA) According to TAC I have to use indicators to exclude it from Threat Prevention policy but this makes everything more complicated since I cannot only exclude the trusted sender email address

Re: MTA AV Exceptions

PhoneBoy — Tue, 26 Mar 2019 21:45:33 GMT

That's why I suggested using the IP address of the SMTP server (assuming they're coming from the same IP).

Re: MTA AV Exceptions

Shahar_Grober — Wed, 27 Mar 2019 17:44:32 GMT

This is not possible because the IP address is of the mail relay External SMTP Mail server --> Mail Realy --> Check Point MTA --> Exchange The MTA sees only the mail relay so I cannot exclude the mail of the external SMTP server because the source is the mail relay

Re: MTA AV Exceptions

MikeB — Thu, 05 Sep 2019 20:16:28 GMT

Hi @Shahar_Grober, Im experiencing the same situation with a client (AV MTA with false positive).
were you able to solve this??? I would greatly appreciate your comments

Re: MTA AV Exceptions

Shahar_Grober — Fri, 06 Sep 2019 08:31:49 GMT

Hi Miguel,

the easiest way is to use IOC Indicators exceptions (mark them as inactive)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92264&partition=Advanced&product=Anti-Bot,#Indicator%20(IOC)

documentation is not the greatest but you need to build a csv file in the following format

# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT
Indicator_bypsass https://abcd.com URL low low AV bypass1

Re: MTA AV Exceptions

Cristian_F_CCSM — Thu, 29 Feb 2024 17:24:09 GMT

Hello, we have the same issue.

We implemented the threat prevention exclusion for the URLs via Smart Console (global exeptions).

We will test the configuration in the next days, we will update the community.

Regards.

Re: MTA AV Exceptions

Cristian_F_CCSM — Fri, 01 Mar 2024 07:24:05 GMT

Hello, this configuration doesn't work.

We will proceed with IOC Indicators exceptions... stay tuned!

Re: MTA AV Exceptions

Cristian_F_CCSM — Mon, 04 Mar 2024 09:47:27 GMT

Hello, not even the use of IOC Indicators (inactive) solved the problem.
We will open an SR to the TAC.

Regards

Re: MTA AV Exceptions

Cristian_F_CCSM — Tue, 05 Mar 2024 14:34:29 GMT

Hello, we used sk166272 with success.

Regards.