topic Re: Enduser still can download Malware from Public Github although implement Https inspection and IP in Firewall and Security Management

Enduser still can download Malware from Public Github although implement Https inspection and IPS

CheckPoint_IT — Tue, 02 Jul 2024 08:01:11 GMT

Hi Everyone,

I have a problem with IPS and HTTPS Inspection on CheckPoint Firewall.

I implemented HTTPS Inspection and IPS for Internal traffic and everything seems to work fine (HTTPS traffic being inspected and IPS, Antivirus detect and block access to malicious files).

But when I tried to use git clone to download a malware test file from git hub, nothing happened and I still can successfully download this file.

➜ ~ git clone https://github.com/fire1ce/eicar-standard-antivirus-test-files.git

Cloning into 'eicar-standard-antivirus-test-files'...
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 42 (delta 4), reused 5 (delta 1), pack-reused 29
Receiving objects: 100% (42/42), 177.01 KiB | 280.00 KiB/s, done.
Resolving deltas: 100% (18/18), done.

➜ ~ ls | egrep eicar
eicar-standard-antivirus-test-files

HTTPS traffic is still inspected by the Firewall, but IPS and antivirus do not work. I tried downloading this file/folder directly from my browser but everything worked fine.

Does anyone have the same problem as me? Does anyone have any advice or suggestions on where I've misconfigured?

Thanks.

Re: Enduser still can download Malware from Public Github although implement Https inspection and IP

PhoneBoy — Wed, 03 Jul 2024 12:37:52 GMT

For testing anything with EICAR, make sure you do the following on the relevant gateways: fw ctl set int g_ci_av_eicar_handling_mode 2

Re: Enduser still can download Malware from Public Github although implement Https inspection and IP

CheckPoint_IT — Thu, 04 Jul 2024 07:46:49 GMT

Thank @PhoneBoy

I have changed int g_ci_av_eicar_handling_mode as you mentioned above. But, I still can download EICAR by git clone command.

Cloning into 'eicar-standard-antivirus-test-files'...

remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (10/10), done.
Receiving objects: 14% (6/42)

Receiving objects: 26% (11/42)
Receiving objects: 38% (16/42)
Receiving objects: 40% (17/42), 68.00 KiB | 104.00 KiB/s
Receiving objects: 47% (20/42), 68.00 KiB | 104.00 KiB/s
remote: Total 42 (delta 4), reused 5 (delta 1), pack-reused 29
Receiving objects: 100% (42/42), 177.01 KiB | 175.00 KiB/s, done.
Resolving deltas: 38% (7/18)
Resolving deltas: 100% (18/18), done.

The connection is still inspected by HTTPS Inspection but IPS and antivirus do nothing.

Do you have any other suggestions? Am I configuring something wrong or is the git clone running in some other way that Checkpoint cannot inspect?

Thanks.

Re: Enduser still can download Malware from Public Github although implement Https inspection and IP

PhoneBoy — Mon, 08 Jul 2024 17:51:56 GMT

Is Anti-Virus enabled?
If not, it needs to be.