https://community.checkpoint.com/t5/Firewall-and-Security-Management/Embedded-Office-com-links-in-PDF-s/m-p/6993#M14072 <HTML><HEAD></HEAD><BODY><P>Hi Andre,</P><P></P><P>you can control this feature via:</P><P></P><PRE>[Expert@Gateway:0]# tecli advanced analyzer<BR />Command: root-&gt;advanced-&gt;analyzer<BR /><BR />Available options:<BR /> show - display analyzer attributes values<BR /> enable - enable or disable analyzer investigator<BR /> max_embedded_files_limit - Set maximum embedded files limit<BR /> max_embedded_links_limit - Set maximum embedded links limit<BR /> prohibited - prohibited objects menu<BR /><BR />[Expert@Gateway:0]# tecli advanced analyzer show<BR /> File Analyzer: ON<BR /> Maximum embedded files limit: 10<BR /> Maximum embedded links limit: 20<BR /> Block encrypted documents: OFF<BR /> Block documents that contain sensitive links (links to local or network path): OFF<BR /> Block documents that contain macros and code: OFF<BR /> Block documents with embedded word file type: OFF<BR /> Block documents with embedded excel file type: OFF<BR /> Block documents with embedded power point file type: OFF<BR /> Block documents with embedded executable file type: OFF<BR /> Block documents with embedded zip file type: OFF<BR /> Block documents with embedded flash file type: OFF<BR /> Block documents with embedded pdf file type: OFF<BR /> Block documents with embedded js file type: OFF</PRE><P></P><P>Reporting possible FPs to Check Point is valuable because it remediates also possible future FPs.</P><P>In many cases we can change "Detection rules" which is not simple file hash whitelisting. In such cases multiple FPs will be gone in a single effort if the behavioral detection behind the FP is the same. Detection rules are updated automatically.</P><P></P><P>Always remember that during opening a FP case we will check if the file is really malicious. There were cases in the past that first looked like a FP but during analysts investigation were proofed to be malicious.</P><P></P><P>Regards Thomas</P></BODY></HTML> Wed, 04 Oct 2017 12:33:42 GMT Thomas_Werner 2017-10-04T12:33:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Embedded-Office-com-links-in-PDF-s/m-p/6992#M14071 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10.0pt;">Hi all, I noticed that the Sandblast marks particulair.pdf files with an embedded link from Microsoft (in this case a custom created Office form via <A href="https://forms.office.com">https://forms.office.com</A>) as a malicious C&amp;C site. &nbsp;This is defiantly a false positive. Anyone experienced the same?. Of course I can follow sk118875 and submit this false positive for review by Check Point support but this is quite a hassle due to privacy rights and sharing customer data etc. Any suggestions are welcome. </SPAN></P></BODY></HTML> Tue, 03 Oct 2017 13:29:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Embedded-Office-com-links-in-PDF-s/m-p/6992#M14071 Andre_K 2017-10-03T13:29:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Embedded-Office-com-links-in-PDF-s/m-p/6993#M14072 <HTML><HEAD></HEAD><BODY><P>Hi Andre,</P><P></P><P>you can control this feature via:</P><P></P><PRE>[Expert@Gateway:0]# tecli advanced analyzer<BR />Command: root-&gt;advanced-&gt;analyzer<BR /><BR />Available options:<BR /> show - display analyzer attributes values<BR /> enable - enable or disable analyzer investigator<BR /> max_embedded_files_limit - Set maximum embedded files limit<BR /> max_embedded_links_limit - Set maximum embedded links limit<BR /> prohibited - prohibited objects menu<BR /><BR />[Expert@Gateway:0]# tecli advanced analyzer show<BR /> File Analyzer: ON<BR /> Maximum embedded files limit: 10<BR /> Maximum embedded links limit: 20<BR /> Block encrypted documents: OFF<BR /> Block documents that contain sensitive links (links to local or network path): OFF<BR /> Block documents that contain macros and code: OFF<BR /> Block documents with embedded word file type: OFF<BR /> Block documents with embedded excel file type: OFF<BR /> Block documents with embedded power point file type: OFF<BR /> Block documents with embedded executable file type: OFF<BR /> Block documents with embedded zip file type: OFF<BR /> Block documents with embedded flash file type: OFF<BR /> Block documents with embedded pdf file type: OFF<BR /> Block documents with embedded js file type: OFF</PRE><P></P><P>Reporting possible FPs to Check Point is valuable because it remediates also possible future FPs.</P><P>In many cases we can change "Detection rules" which is not simple file hash whitelisting. In such cases multiple FPs will be gone in a single effort if the behavioral detection behind the FP is the same. Detection rules are updated automatically.</P><P></P><P>Always remember that during opening a FP case we will check if the file is really malicious. There were cases in the past that first looked like a FP but during analysts investigation were proofed to be malicious.</P><P></P><P>Regards Thomas</P></BODY></HTML> Wed, 04 Oct 2017 12:33:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Embedded-Office-com-links-in-PDF-s/m-p/6993#M14072 Thomas_Werner 2017-10-04T12:33:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Embedded-Office-com-links-in-PDF-s/m-p/6994#M14073 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10.0pt;">Hi Thomas, thank you for your reply. I am familiar with the analyzer but in this case it seems like the TE marks this particular link as malicious, it’s not an embedded file within the PDF. &nbsp;I will might indeed consider submitting this possible FP to support for review. Thanks again! </SPAN></P></BODY></HTML> Wed, 04 Oct 2017 12:43:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Embedded-Office-com-links-in-PDF-s/m-p/6994#M14073 Andre_K 2017-10-04T12:43:08Z