topic Re: Anti-Virus & Content Awareness Archive Issues in Firewall and Security Management

Anti-Virus & Content Awareness Archive Issues

Marcel_Gramalla — Mon, 11 Oct 2021 12:01:11 GMT

Hi CheckMates,

I want to describe one or actually two issues I encounter when using Anti-Virus and Content Awareness on my Check Point Gateways. Both issues seem to be related only for Archive Scanning. First of all some information about the config:

- R80.40 JHF94 (also tested with new install of R81 and R81.10)
- HTTPS Inspection enabled
- Anti-Virus enabled (with archive scanning)
- Content Awareness enabled (should block executable files and some other types)

I can easily reproduce the issue on some basic PuTTY downloads here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
putty.zip: https://the.earth.li/~sgtatham/putty/latest/w64/putty.zip
putty.tar.gz: https://the.earth.li/~sgtatham/putty/latest/putty-0.76.tar.gz

Scenario 1 (Content Awareness: enabled / Anti-Virus: disabled):
Download of putty.zip fails with log message "error while processing putty.chm: File appears corrupted (13)"
Download of putty.tar.gz gets blocked correctly because of an ".sh" file.

Scenario 2 (Content Awareness: disabled / Anti-Virus: disabled)
Download of putty.zip fails with log message "Failed to process the file - unknown error"
Download of putty.tar.gz fails with log message "Failed to process the file - unknown error"

Scenario 3 (Content Awareness: enabled / Anti-Virus: enabled)
Download of putty.zip fails without log message
Download of putty.tar.gz gets blocked correctly because of an ".sh" file

I already did some basic debugs from sk103939 and the issue reported is: "error reason: Max files in archive" but I couldn't find any information about that and the archives don't have many files in them.

Did somebody of you encounter similar problems or can verify the issue on their setup? I already have a ticket opened but my TAC experience isn't the best lately and you guys helped a lot in the past 🙂

Re: Anti-Virus & Content Awareness Archive Issues

PhoneBoy — Wed, 13 Oct 2021 15:37:23 GMT

I suspect this is a bug and a TAC case will be necessary here.

Re: Anti-Virus & Content Awareness Archive Issues

Marcel_Gramalla — Wed, 13 Oct 2021 21:10:56 GMT

Yeah, I think it obviously is a bug but as it occurs on clean installations as well my hope was to find somebody that has already experienced something similar and/or can validate my findings.

TAC case already opened as mentioned but (again) not the best experience yet. Investigation hasn't even started yet after a week because of slow response, a canceled call and no instructions from CP.

I will update this thread if we get any mentionable information.

Re: Anti-Virus & Content Awareness Archive Issues

Marcel_Gramalla — Sat, 12 Feb 2022 16:26:15 GMT

Over four months later Check Point TAC has finally found the issue and provided a temporary workaround with a final solution coming soon hopefully. The issue was actually found pretty fast because of "max_files" reached as the archive has over 500 files but it seemed that nobody knows the Archive Engine at Check Point...

But to get back to the issue itself: The problem has nothing to do with Content Awareness but only with Anti-Virus. There is actually one sk for changing different parameters of that Archive Engine: Threat Prevention Archive Tool Configuration (checkpoint.com)

I also had to learn that Anti-Virus uses parts of Threat Emulation (at least when using Archive Scanning). The parameter "max_files" has a default of 500 and it can be changed in the config but it will default back to 500 as there is a hard coded limit of 500. There is a way to change that default to any other limit so it gets defaulted to that...I won't share this procedure but it's working correctly.

Check Point will change that behavior in a future update so that we can change the limit according to the sk. From what I understand this will be provided with the regular Anti-Virus/Anti-Bot updates and will not require a Jumbo.

Little rant about TAC:

All in all I'm happy that this works now but I don't have to say that over four months for such a basic case is way to long (many useless remote sessions, long response times, no summaries after sessions etc.). In addition it's stupid that we had to open a new case because we updated our Gateways in the meantime - never understood why the case can't be changed instead.

Re: Anti-Virus & Content Awareness Archive Issues

yairsp — Tue, 19 Apr 2022 17:15:02 GMT

Hi Marcell,

Allow me to apologize for the apparently unsatisfactory handling of this case. your rant is noted!!

I know some time has passed, but would you mind sharing the TAC case number with me?

I'd like to try to review and understand how we can improve in future cases.

You can send it to yairsp@checkpoint.com for privacy's sake.

Thanks,

Yair