https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12679#M14116 <HTML><HEAD></HEAD><BODY><P><STRONG>Note</STRONG>: I have removed the attachment to the original post.</P><P></P><P></P><P>vbs files are only emulated when received via email (i.e.&nbsp;when SandBlast is configured as an MTA).</P><P>When they are received via HTTP/HTTPS, they are not emulated.&nbsp;</P><P>This is&nbsp;documented here:&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106123" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106123">File types supported by SandBlast Threat Emulation</A>&nbsp;</P></BODY></HTML> Fri, 17 Nov 2017 16:40:51 GMT PhoneBoy 2017-11-17T16:40:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12678#M14115 <HTML><HEAD></HEAD><BODY><P>Hello !</P><P>Customer was able to send the attached file through sandblast with AV/TE/TEX enabled ...</P><P>if the file is renamed to .7z - it turns to be a password-protected archive (passwd:&nbsp;<SPAN style="color: #000000; background-color: #ffffff; font-size: 13.3333px;">TestCase02) with vbs script ...</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 13.3333px;">What have we done wrong ?</SPAN></P></BODY></HTML> Fri, 17 Nov 2017 12:14:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12678#M14115 Nikolajs_Matjus 2017-11-17T12:14:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12679#M14116 <HTML><HEAD></HEAD><BODY><P><STRONG>Note</STRONG>: I have removed the attachment to the original post.</P><P></P><P></P><P>vbs files are only emulated when received via email (i.e.&nbsp;when SandBlast is configured as an MTA).</P><P>When they are received via HTTP/HTTPS, they are not emulated.&nbsp;</P><P>This is&nbsp;documented here:&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106123" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106123">File types supported by SandBlast Threat Emulation</A>&nbsp;</P></BODY></HTML> Fri, 17 Nov 2017 16:40:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12679#M14116 PhoneBoy 2017-11-17T16:40:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12680#M14117 <HTML><HEAD></HEAD><BODY><P>What is the policy on password encrypted files?</P></BODY></HTML> Mon, 20 Nov 2017 08:45:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12680#M14117 Hugo_vd_Kooij 2017-11-20T08:45:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12681#M14118 <HTML><HEAD></HEAD><BODY><P>For this site? I removed the file because it contains malware.&nbsp;</P><P>How Threat&nbsp;Extraction handles them? It depends on your profile setting.</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/61002_pastedImage_1.png" style="width: auto; height: auto;" /></P></BODY></HTML> Mon, 20 Nov 2017 16:36:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12681#M14118 PhoneBoy 2017-11-20T16:36:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12682#M14119 <HTML><HEAD></HEAD><BODY><P>Hi !</P><P>The policy is to block encrypted file attachments.</P><P>However this file has passed through TE/TEX and user can download original file.</P></BODY></HTML> Mon, 20 Nov 2017 18:17:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12682#M14119 Nikolajs_Matjus 2017-11-20T18:17:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12683#M14120 <HTML><HEAD></HEAD><BODY><P>If the original file was an archive (I can´t see it from your post only) it is currently not supported with TX hence your "Encrypted content block" TX feature does not apply. Archive support for TX is on the roadmap.</P><P></P><P>That said if received via email it should have been emulated and catched by TE as Daemon already mentioned.</P><P>If this was not the case please open a support ticket with your information.</P><P><BR />Regards Thomas</P></BODY></HTML> Sun, 26 Nov 2017 20:54:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12683#M14120 Thomas_Werner 2017-11-26T20:54:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12684#M14121 <HTML><HEAD></HEAD><BODY><P>Nikolajs,</P><P></P><P>Can you clarify the rename to .7z remark in your question. Were you using another extension on the file and was that sufficient to bypass TE/TEX?</P><P>Please think of us of people who know nothing about your setup (which is true) and describe the steps to reproduce this exactly.</P></BODY></HTML> Mon, 27 Nov 2017 08:00:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-file-sent-through-Sandblast/m-p/12684#M14121 Hugo_vd_Kooij 2017-11-27T08:00:19Z