topic Re: Content Awareness not properly blocking files in Firewall and Security Management

Content Awareness not properly blocking files

Marcel_Gramalla — Wed, 10 Mar 2021 15:15:03 GMT

Hello,

hope you're doing all well. We are in the process of evaluating the Check Point Threat Prevention Suite (against another solution) and we're stuck at Content Awareness right now.

We just wanted to test a very basic rule to block executable files but we get very strange results - some files doesn't get blocked at all or only sometimes. TLS Inspection is enabled and the browser is limited to TLS 1.2 as we heard it may cause problems if the browser tries 1.3 and Check Point doesn't support it currently (R80.40 JHF 89).

The rule looks like this:

The log entry looks like this when the file isn't blocked:

We can cleary see that the connections is Inspected and also the Rule and Data Type gets recognized correctly but the download is still possible.

We already tried a different host, putting the rule out of the inline layer and many small other things. Do you have any suggestion how to troubleshoot and what could be wrong?

Re: Content Awareness not properly blocking files

Benedikt_Weissl — Wed, 10 Mar 2021 16:08:10 GMT

Hi,

can you show us the UserCheck item settings? Maybe the fallback setting is set to "accept".

Regards

Re: Content Awareness not properly blocking files

Marcel_Gramalla — Wed, 10 Mar 2021 17:32:35 GMT

Hi,

which exact setting are you referring to? I couldn't find UserCheck setting for any fallback:

On Content Awareness it's set at fail-open:

Re: Content Awareness not properly blocking files

Benedikt_Weissl — Thu, 11 Mar 2021 10:13:29 GMT

Then its a different UserCheck object, i thought it might be this setting and user notification can't be displayed:

Re: Content Awareness not properly blocking files

Marcel_Gramalla — Thu, 11 Mar 2021 10:15:55 GMT

Ok, I see. The fallback option only appears on Ask-Templates but not on Drop-Templates.

Re: Content Awareness not properly blocking files

PhoneBoy — Thu, 11 Mar 2021 20:00:09 GMT

If you’re seeing an action of Redirect (which is what the log card says), it’s probably attempting to show the UserCheck drop page.
As it requires some data to be transferred to detect if it’s an EXE, it will appear as if a download starts but it should terminate before the file is completely downloaded.

For downloaded files, showing a block page is probably counterproductive since the web browser won’t show that to the end user.
In fact: I would remove the UserCheck action from the rule.

Re: Content Awareness not properly blocking files

Marcel_Gramalla — Fri, 12 Mar 2021 08:19:45 GMT

The drop page shouldn't be a problem as it shows correctly for other files that get blocked by the policy. I just tried changing the rule to just drop without UserCheck and the problem still exists. It's also a requirement for us to show the user that a file gets blocked on purpose and not just the fail message from the browser.

Let's see if TAC has any other ideas.

Re: Content Awareness not properly blocking files

Marcel_Gramalla — Fri, 09 Jul 2021 16:53:10 GMT

I just came across my own old topic here and wanted to add the solution we found together in a great TAC session a few weeks ago.

The problem was in the HTTPS Inspection and not Content Awareness itself. We had the settings at "Background" and not "Hold" mode for a reason I don't remeber and that caused the issue. We also tried the UserCheck agent that I never heard of before and now we're also getting a pop-up if an error cannot be displayed in the browser.