This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tony_Graham
Advisor
‎2022-12-19 11:07 AM
Jump to solution

Using CP Infinity Portal How does one find out what was extracted or triggered threat extraction?

I have a user that received a file that in the logs shows it had triggered TEX.

Using the panel on the right side of Infinity portal shows it has threat of Low, confidence High but

it offers no detail as to what the threat was. I don't find this of much value.

'Yah, there was a threat. We got rid of it.'

It would be nice to know what the threat

was so that our user could inform the sender they may themselves be infected with

malware. For businesses with close personal relationships and daily transactions with

one another this sort of thing is very important.

 

I see no way to drill down into the

threat for additional detail and the details provided offer nothing more than technical

mumbo jumbo about resource URL's, file hashes byte size and a vague Description.

 

I guess that makes this a request for additional functionality. Something

like Adware/TrackingPixel or EmbeddedWebLink/Graphic would be helpful in

understanding the nature of what was removed during TEX.

Thanks.

1 Solution

Accepted Solutions
AdiGH
Employee
Employee
‎2023-05-28 03:03 AM
Jump to solution

Hi @Tony_Graham  - wanted to circle back to this request you made a couple of months ago. 
Although the response you've got from @PhoneBoy is correct, I agreed with the need to provide additional information on the extracted content. 
Therefore, we've added to the logs under "Description" the name of the elements that were removed (according to the defined list we have in the portal). 
This is already in production for FireFox downloads and will shortly be available for downloads from all supported browsers. 

AdiGH_0-1685268007919.png

 


I hope you'll find this useful. 

View solution in original post

(1)
2 Replies
PhoneBoy
Admin
Admin
‎2022-12-20 05:59 PM
Jump to solution

Every supported file type will invoke Threat Extraction whether or not it’s actually malicious.
Documents are reconstructed in a way that potentially malicious content won’t be there (for example, VB Macros will be removed).
Or the document will be converted to PDF, if that’s how you configure the policy.
The precise details of how Threat Extraction does this are not documented anywhere and there is no logging provided about what was done.

If you want to know if a document is actually malicious or not (and how), use Threat Emulation.
In fact, that’s how Threat Extraction is intended to be used (with Threat Emulation).
Threat Emulation reports provide details about how the document was malicious (if it was).

Hope that helps.

0 Kudos
AdiGH
Employee
Employee
‎2023-05-28 03:03 AM
Jump to solution

Hi @Tony_Graham  - wanted to circle back to this request you made a couple of months ago. 
Although the response you've got from @PhoneBoy is correct, I agreed with the need to provide additional information on the extracted content. 
Therefore, we've added to the logs under "Description" the name of the elements that were removed (according to the defined list we have in the portal). 
This is already in production for FireFox downloads and will shortly be available for downloads from all supported browsers. 

AdiGH_0-1685268007919.png

 


I hope you'll find this useful. 

(1)
Upcoming Events

    Sort by:
    CheckMates Events