topic Re: Sandblast TE250X on premises engine Release 6.9/55.990001702 not available in Email and Collaboration

Sandblast TE250X on premises engine Release 6.9/55.990001702 not available

Antoine_Nucera — Tue, 03 Oct 2017 17:31:41 GMT

As per sk95235 engine Release 6.9/55.990001702 is available since 26 Sep 2017 and for Deployment: 26/09-10/10.

My TE250X engine remain is version in 6.8.2/54.990001557.

What does mean Deployment: 26/09-10/10 ? The engine availability for Customer using threat emulation in the cloud ? When will the latest version be available for on premises ? I have an open case at checkpoint but it seems difficult for them to answer this simple question.

Why this question ? Simply because I have a zip that contains a malicious javascript. In the Checkpoint Cloud this java script is detected as malicious (i use this link to test https://threatemulation.checkpoint.com/teb/upload.jsp) but it is not on my Te250X on premises when i download it on http with a browser.

The sk106123 specifies the File types supported by SandBlast Threat Emulation and that for .js / .js : these files are supported when arriving in archive as email attachment only. The protection is for the use of the files.

I can understand that for http feeds it is not possible to analyze javascript loaded by html pages without generating a high latency for users as far as most pages contain javascript.
But when javascript is in a zip it should be. No ?

So my problem is related to the version of the engine or to this specific case? In this case why this difference between the cloud and the version on premise?

Thanks

Re: Sandblast TE250X on premises engine Release 6.9/55.990001702 not available

PhoneBoy — Tue, 03 Oct 2017 18:57:37 GMT

When we release a new engine, it is not deployed to all on-premise customers at once, but gradually over the course of a few weeks.

26 September - 10 October 2017 is the timeframe during which 6.9/55.990001702 is being deployed.

If you do nothing, you can expect the new engine to be deployed to your TEX appliance in the next week or so.

You can also do a manual update by using the steps in the following SK: Offline updates for Threat Emulation images and engine

As for why the js is not detected on your on-premise appliance, we make continual improvements to catch malware and reduce false positives.

It's possible something in the 6.9 catches it, whereas the 6.8.2 engine did not.

If you see a difference after getting the 6.9 engine on your local TEX appliance, I recommend opening a support ticket.

Contact Support | Check Point Software

Re: Sandblast TE250X on premises engine Release 6.9/55.990001702 not available

Antoine_Nucera — Wed, 04 Oct 2017 07:23:00 GMT

Hi,

Thanks for your help.

The sk106123 specifies the "File types supported by SandBlast Threat Emulation and that for .js / .js " and

mentions that : "these files are supported when arriving in archive as email attachment only. The protection is for the use of the files."

What you anderstand ? That malicious js in zip are detected in mail only ?

Remmener that when i download my zip on Threat Cloud Test (last engine) it is detected as malicious.

So, will the last engine detect the malicious JS in the ZIP in http.

I do understand that the restriction in the sk106123 does not applie to the last engine version ?

Re: Sandblast TE250X on premises engine Release 6.9/55.990001702 not available

PhoneBoy — Wed, 04 Oct 2017 16:17:14 GMT

My understanding is .js is currently only emulated when received as an email attachment.

I'm assuming when you upload it via the URL, it is doing a full emulation similar to what's done with email.

I'm not entirely sure that limitation with .js and http is removed in 5.9.