topic Re: MTA Threat Extraction / Emulation Workflow ? in Firewall and Security Management

MTA Threat Extraction / Emulation Workflow ?

Peter_Baumann — Wed, 29 Aug 2018 09:14:12 GMT

Hi all,

I was looking for documentation about the workflow about the Threat Extraction and Emulation when used with MTA and couldn't find it.

So when an E-Mail arrives, what will be done first and what exactly will then be processed etc.

A visible workflow would help to understand how the System processes incoming E-Mails.

So what happens if we already have a file in the Cache, what happened with the Reputation of an Attachement and how is the verdict decision done?

It would be helpful if someone has any links or documents to answer this...

Thanks,

Peter

Re: MTA Threat Extraction / Emulation Workflow ?

G_W_Albrecht — Wed, 29 Aug 2018 11:18:36 GMT

I would suggest the following documents:

Mail Transfer Agent (MTA) - FAQ

sk109699 ATRG: Mail Transfer Agent (MTA)

sk120260 MTA Debugging and Performance Troubleshooting Toolkit

But of course, there is much more !

Re: MTA Threat Extraction / Emulation Workflow ?

Peter_Baumann — Wed, 29 Aug 2018 11:28:21 GMT

Hi Günther,

Thanks for your reply and links, very interesting but only focused on the MTA Flow.

What I need is an overview what exactly is Happening when the E-Mail is arriving at the Threat Emulation / Extraction.

So as example: Incoming E-Mail - links in Body? - yes: do Threat Emulation - Malicious links included? - yes: Threat Emulation of the links or for Threat Extraction: Incoming E-Mail - is filetype active? - yes: Threat Extraction according Settings - verdict decision? etc...

A complete overview what exactly is Happening would answer the customers question how an E-Mail is exactly proceeded...

Re: MTA Threat Extraction / Emulation Workflow ?

G_W_Albrecht — Wed, 29 Aug 2018 12:19:38 GMT

Then you must consult sk114806 ATRG: Threat Emulation - as you did study the Threat Prevention Administration Guide R80.10 already...

Re: MTA Threat Extraction / Emulation Workflow ?

Peter_Baumann — Wed, 29 Aug 2018 14:38:34 GMT

Thanks Günther,

Interesting document, (7) Emulation Workflow does give the needed Information about the workflow.

I'm still searching now the doc for Threat Extraction...

Re: MTA Threat Extraction / Emulation Workflow ?

HeikoAnkenbrand — Wed, 29 Aug 2018 18:55:24 GMT

Hi Peter,

I recently wrote a document that gives an overview of content inspection. It's not exactly what you're looking for. But maybe this will help you to understand how content inspection works. But I still have to finish the MTA part.

R80.x Security Gateway Architecture (Content Inspection)

This document describes the content inspection in a Check Point R80.10 and above gateways. Context Management Infrastructure (CMI) is the "brain" of the content inspection and use more different modules (CMI Loader, PSL vs. PXL, Protocol Parsers, Pattern Matcher, Protections and new in R80.10 NGTP Architecture) for content inspection.

R80.x Security Gateway Architecture (Logical Packet Flow)

This document describes the packet flow (partly also connection flows) in a Check Point R80.10 and above with SecureXL and CoreXL, Content Inspection, Stateful inspection, network and port address translation (NAT), MultiCore Virtual Private Network (VPN) functions and forwarding are applied per-packet on the inbound and outbound interfaces of the device. There should be an overview of the basic technologies of a Check Point Firewall. We have also reworked the document several times with Check Point, so that it is now finally available.

Regards

Heiko

Re: MTA Threat Extraction / Emulation Workflow ?

G_W_Albrecht — Thu, 30 Aug 2018 07:09:19 GMT

Thre is only sk101553 Check Point Document Threat Extraction Technology afaik.

Re: MTA Threat Extraction / Emulation Workflow ?

Peter_Baumann — Tue, 04 Sep 2018 08:41:23 GMT

Hi all,

Hi Heiko Ankenbrand‌,

Thank you very much fpr your feedbacks, I appreciate it!

Heiko's documents are great, with all the peacec of information I think I can construct an answer for this question.

It would be great if check point would create such a documentation about this...

Thanks,

Peter

Re: MTA Threat Extraction / Emulation Workflow ?

Peter_Baumann — Wed, 05 Sep 2018 08:55:39 GMT

Hello again,

According to the customer sometimes an incoming mail is NOT sent to Emulation AND Extraction.

I did some tests today and it seems really a strange behavior.

For the test I sent 3 E-Mails, 1 with only *.zip (text files), 2 with only *.pdf, 3 with both *.zip (text files) and *.pdf.

E-mail 1: Only Emulation is done according log.

E-Mail 2: Only Extraction is done according log.

E-Mail 3: Extraction and Emulation is done.

According to all the documents a receiving E-Mail should be sent to both Extraction AND Emulation.

So why do I not see this in the logs???

Re: MTA Threat Extraction / Emulation Workflow ?

G_W_Albrecht — Wed, 05 Sep 2018 09:08:07 GMT

That all depends on the configuration - according to document type, the flow can be different, so you can say nothing without knowing the detailed configuration of TE / TX !

Re: MTA Threat Extraction / Emulation Workflow ?

Peter_Baumann — Wed, 05 Sep 2018 09:46:28 GMT

Right!

That's why I was looking for a detailed workflow for it 🙂

Re: MTA Threat Extraction / Emulation Workflow ?

G_W_Albrecht — Wed, 05 Sep 2018 10:06:01 GMT

Then have a good look into Threat Prevention Administration Guide R80.10 and you will find everything there 😉