https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/51882#M13525 <P><SPAN class="tlid-translation translation"><SPAN class="">Hello CheckMates!<BR /></SPAN></SPAN></P><P><SPAN class="tlid-translation translation"><SPAN class="">I would like your opinion with the following behavior</SPAN></SPAN> of Threat Emulation:</P><P>One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with <U><STRONG>same hash</STRONG></U> were allowed (thus, received on mailboxes)!!!!</P><P>I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image_2019_04_25T22_14_06_329Z.png" style="width: 771px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/985iCCB228BC78733130/image-dimensions/771x467?v=v2" width="771" height="467" role="button" title="image_2019_04_25T22_14_06_329Z.png" alt="image_2019_04_25T22_14_06_329Z.png" /></span></P><P>As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)</P><P>We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.</P><P>So now we have the following concerns:</P><OL><LI>Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???</LI><LI>How Check Point determine the confidence level for security events?</LI></OL><P>Currently we have a case opened with TAC but despite we already sent a lot of information, <SPAN class="tlid-translation translation"><SPAN class="">they could not explain this behavior</SPAN></SPAN> yet.</P><P>&nbsp;</P><P><SPAN class="tlid-translation translation"><SPAN class="">Has someone experienced the same? </SPAN></SPAN><SPAN class="tlid-translation translation"><SPAN class="">I will appreciate your comments</SPAN></SPAN></P> Fri, 12 Jul 2019 23:51:09 GMT MikeB 2019-07-12T23:51:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/51882#M13525 <P><SPAN class="tlid-translation translation"><SPAN class="">Hello CheckMates!<BR /></SPAN></SPAN></P><P><SPAN class="tlid-translation translation"><SPAN class="">I would like your opinion with the following behavior</SPAN></SPAN> of Threat Emulation:</P><P>One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with <U><STRONG>same hash</STRONG></U> were allowed (thus, received on mailboxes)!!!!</P><P>I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image_2019_04_25T22_14_06_329Z.png" style="width: 771px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/985iCCB228BC78733130/image-dimensions/771x467?v=v2" width="771" height="467" role="button" title="image_2019_04_25T22_14_06_329Z.png" alt="image_2019_04_25T22_14_06_329Z.png" /></span></P><P>As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)</P><P>We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.</P><P>So now we have the following concerns:</P><OL><LI>Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???</LI><LI>How Check Point determine the confidence level for security events?</LI></OL><P>Currently we have a case opened with TAC but despite we already sent a lot of information, <SPAN class="tlid-translation translation"><SPAN class="">they could not explain this behavior</SPAN></SPAN> yet.</P><P>&nbsp;</P><P><SPAN class="tlid-translation translation"><SPAN class="">Has someone experienced the same? </SPAN></SPAN><SPAN class="tlid-translation translation"><SPAN class="">I will appreciate your comments</SPAN></SPAN></P> Fri, 12 Jul 2019 23:51:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/51882#M13525 MikeB 2019-07-12T23:51:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/51908#M13526 Perhaps it's a bug in the TE engine that we need to investigate.<BR />Can you tell me in a PM what the TAC SR is for this case? Fri, 26 Apr 2019 00:10:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/51908#M13526 PhoneBoy 2019-04-26T00:10:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/52075#M13527 TAC SR shared in a PM, thank you for your answer and Help! Mon, 29 Apr 2019 01:25:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/52075#M13527 MikeB 2019-04-29T01:25:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/54278#M13528 <P>Today we experience the same issue with identical behavor:</P><UL><LI><SPAN class="uiOutputText">The </SPAN><STRONG><SPAN class="uiOutputText">zero-day file</SPAN></STRONG><SPAN class="uiOutputText"> (arrived via email - MTA) is prevented but there is </SPAN><STRONG><SPAN class="uiOutputText">NO </SPAN></STRONG><SPAN class="uiOutputText">emulation report.</SPAN></LI><LI><SPAN class="uiOutputText">File has </SPAN><STRONG><SPAN class="uiOutputText">HIGH </SPAN></STRONG><SPAN class="uiOutputText">severity but confidence level </SPAN><STRONG><SPAN class="uiOutputText">N/A</SPAN></STRONG></LI><LI><SPAN class="uiOutputText">The file hash is placed in the </SPAN><STRONG><SPAN class="uiOutputText">benign </SPAN></STRONG><SPAN class="uiOutputText">cache without any apparent explanation</SPAN></LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benign_cache-230519.jpg" style="width: 848px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1314i9B82F3D39A9B00E8/image-size/large?v=v2&amp;px=999" role="button" title="benign_cache-230519.jpg" alt="benign_cache-230519.jpg" /></span></P><P><SPAN class="uiOutputText"><SPAN class="tlid-translation translation"><SPAN>Has anyone experienced something similar?</SPAN>?? <SPAN class="">definitely this is not an expected behavior.</SPAN></SPAN></SPAN></P><P><SPAN class="uiOutputText"><SPAN class="tlid-translation translation"><SPAN class="">On the other hand, someone has an idea of how Check Point determines a Confidence level N/A???<BR /></SPAN></SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 May 2019 20:50:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Zero-Day-Malicious-File-get-Block-but-hash-put-on-benign-cache/m-p/54278#M13528 MikeB 2019-05-23T20:50:03Z