This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cezar_varlan1
Collaborator
‎2018-12-13 09:40 AM

CP Signature detections and naming convention

What is the meaning of "HEUR":Exploit.Signature in the signature detection phase?

Does this mean it's some kind of heuristic signature?

For example:

On ThreatWiki | Check Point Software  i need to search for Exploit.Msoffice.Cve-2017-0199.ex

However in the detection alert i have:

HEUR:Exploit.Msoffice.Cve-2017-0199.ex

2 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-12-14 12:55 AM

That seems a logical answer - which values apart from HEUR: are else displayed in the signature detection phase?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
cezar_varlan1
Collaborator
‎2018-12-14 02:14 AM
In response to G_W_Albrecht

I can see some more values:

UDS

not-a-virus

Are those values explained somewhere? The pink console of R80.20 SmartConsole and the yellowish traditional R77.30 SmartEndpoint make for a good blend of windows, but the fact is we have no clear explanation of what we are seeing. And combined with the fact that the logging is borderline dysfunctional for search purposes (see discussion here Endpoint Logging - Events ) i have the clear feeling we are doing Empirical Security here. We have a good hunch as to what is happening but we can't know for sure - i mean, we should go for the well known Check Point Sandblast Mobile approach where there's one Button saying "OK" or one button "NOT OK" and leave the investigations for support or something like that. 

Am i missing some kind of documentation?  I've checked Admin Guides and support center. Found some reference here in sk131312 but this one only states how to create an exception but does not list all protections.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events