https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226781#M37877 <P>Not that uncommon of an event lately unfortunately.. I can count 3 instances at least where we had unexplained bulk false-positive events with customers; the first one as of late was right around New Years.</P><P>I can't help but vent my frustration regarding this, especially after the statement made regarding the Crowdstrike related event and the claims of extensive testing performed.</P><P>It's not that particularly obscure applications are being detected; SSL Network Extender (a Check Point application if I remember correctly) was cleaned up on my system. I would like to guess that this software at least would be present on internal systems.</P><P>Not having a big red "revert" button is also somewhat strange; I don't think a tool as powerful and influential as Threat Cloud should involve hours of revert operations for this type of change.</P><P>What's even worse is not having a central way to purge local cache on Endpoints and dealing with "suggestions" along the lines of "it'll clear up in a few days"; it's not a skin rash, it's a potentially company crippling event.</P> Mon, 16 Sep 2024 13:00:44 GMT Swiftyyyyy 2024-09-16T13:00:44Z https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226767#M37874 <H3>Attention:&nbsp;New Signature causes False Positives on Threat Cloud, potentially impacting the products that use Threat Emulation and Anti Virus Blades</H3> <P>&nbsp;</P> <P><STRONG>UPDATE 17.09.2024</STRONG><BR /><BR /><SPAN>The fix propagated world-wide, and the issue was resolved but we are working with our customers to restore the quarantine files and emails.</SPAN></P> <P><SPAN>Please refer to <A href="https://support.checkpoint.com/results/sk/sk182688" target="_self">sk182688 for details</A>.</SPAN></P> <P><STRONG>-------</STRONG></P> <P><STRONG>ORIGINALLY posted on 16.09.2024</STRONG></P> <P>Hi all, we want to inform you that there is an issue with a new signature that was uploaded to the Threat Cloud service that might cause False Positives, this potentially affects the products that use Threat Emulation and Anti Virus Blades. The issue is mostly limited to false positive alerts and file quarantine events with the Harmony Endpoint.&nbsp;&nbsp;<BR /><BR />Check Point R&amp;D teams already identified the root cause and deployed a fixed signature to Threat Cloud Service, the fix will propagate worldwide in the next few hours.<BR /><BR />We are currently working on a SK that will be published shortly.<BR /><BR />You can also follow up on the incident via its <A href="https://status.checkpoint.com/incidents/cfns8zwtg6kd" target="_self">status page</A>.</P> Tue, 17 Sep 2024 07:09:20 GMT https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226767#M37874 _Val_ 2024-09-17T07:09:20Z https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226781#M37877 <P>Not that uncommon of an event lately unfortunately.. I can count 3 instances at least where we had unexplained bulk false-positive events with customers; the first one as of late was right around New Years.</P><P>I can't help but vent my frustration regarding this, especially after the statement made regarding the Crowdstrike related event and the claims of extensive testing performed.</P><P>It's not that particularly obscure applications are being detected; SSL Network Extender (a Check Point application if I remember correctly) was cleaned up on my system. I would like to guess that this software at least would be present on internal systems.</P><P>Not having a big red "revert" button is also somewhat strange; I don't think a tool as powerful and influential as Threat Cloud should involve hours of revert operations for this type of change.</P><P>What's even worse is not having a central way to purge local cache on Endpoints and dealing with "suggestions" along the lines of "it'll clear up in a few days"; it's not a skin rash, it's a potentially company crippling event.</P> Mon, 16 Sep 2024 13:00:44 GMT https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226781#M37877 Swiftyyyyy 2024-09-16T13:00:44Z https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226881#M37898 <P><SPAN>The fix propagated world-wide, and the issue was resolved but we are working with our customers to restore the quarantine files and emails.</SPAN></P> <P><SPAN>Please refer to <A href="https://support.checkpoint.com/results/sk/sk182688" target="_self">sk182688 for details</A>.</SPAN></P> Tue, 17 Sep 2024 07:09:34 GMT https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226881#M37898 _Val_ 2024-09-17T07:09:34Z https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226892#M37900 <P>We're seeing a lot of clients reporting they are unable to update the Anti-Malware Database component since this morning, other components are OK.</P> <P>Sometimes repeating the manual refresh works but not always. Is this related to this issue?</P> Tue, 17 Sep 2024 09:20:37 GMT https://community.checkpoint.com/t5/General-Topics/New-Signature-causes-False-Positives-on-Threat-Cloud/m-p/226892#M37900 Alex- 2024-09-17T09:20:37Z