This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Markus_Hoyer1
Participant
‎2018-06-28 03:35 AM

Endpoint E80.81 downloading security scan takes for ever + domain/URL exclusions not working

Hi CheckMates

I have an issue regarding endpoint client version E80.81. 

When we're downloading files from microsoft dynamics over web it takes forever to do the security scan for safe download, furthermore when downloading Excel files it removes all the content within the spreadsheet. 

I've tried adding domain exclusions and specific URL exclusions but it still decided to do the scan... 

I see no reason for scanning files from within our own domain and would like to be able to configure this.

   What policy / software is it using for scanning files when being downloaded, I might have made the exclusions in the wrong blade. 

First I thought it might be the TE blade, but when looking at logs the scans aren't with the same timestamp as with when the scan was done. (There's no missmatch in server time and real time)

Hope you can help

Kind regards

Markus

6 Replies
Steve_Lander
Collaborator
‎2018-06-28 06:09 AM

Have you tried adding *.domain.com or domain.com/* in the Sandblast Agent Threat Extraction and Emulation Blade?  That is the blade that scans the files that are being downloaded.  If that doesn't work, I would test upgrading a computer to a newer version of CP Endpoint to E80.84 with the same exceptions, and see if it works then.  I have seen some wonky stuff with exceptions not working sometimes, you may have to try adding different combinations of urls, such as dynamics.domain.com if *.domain.com doesn't cover that, which it should.

Markus_Hoyer1
Participant
‎2018-06-29 06:15 AM
In response to Steve_Lander

Hi Steve

Thank you for your reply, I had a talked with TAC yesterday regarding this issue. 

I had added the exclusions as *.domain.com, but was told that this wasn't the way to do it, but only to add them as domain.com. It seemed to worked, but I am still having issue. See SK: 128472

SandBlast Agent (Forensics & Anti-Ransomware, Anti-Bot, Threat Emulation) - Exclusions 

Do anyone know how to excluded, IP addresses, Hostname and NetBios name?

kind regards 

Steve_Lander
Collaborator
‎2018-06-29 07:08 AM
In response to Markus_Hoyer1

It is possible to add IP addresses as exclusions in the Threat Extraction and Emulation.  You can try that as see if that fixes your issue.  

The info about not using wildcards before the domain name is a little bit alarming, as thats what I have here for some of our domains.  As we are having issues with some things still getting scanned internally, maybe taking the wildcard out will fix that.

Thanks for the reply!

0 Kudos
Markus_Hoyer1
Participant
‎2018-06-29 07:12 AM
In response to Steve_Lander

I agree, since I also used wildcards in the beginning. 

How did you add IP addresses in my manager I can only choose between these three:

  • Domain exclusions - Relevant only for the SandBlast Agent Extension for Browsers. 
  • SHA1 exclusions - Relevant only for Threat Emulation blade (File system monitoring)
  • Folder exclusions - Relevant only for Threat Emulation blade (File system monitoring)

I am running R77.30.03

kind regards

0 Kudos
Steve_Lander
Collaborator
‎2018-06-29 01:29 PM
In response to Markus_Hoyer1

I put the IP addresses in under Domain Names and they were able to be added.  Since hearing wilcards are not allowed (presumably) under the category Domain Names, I'm not entirely sure if using IP Addresses will work as expected, but its worth a try.  

Could anyone from CheckPoint weigh in on if this is possible or not?  Maybe consider adding IP Addresses as a feature in the management console.

We are running R77.30.03 as well, waiting to jump to R80.20 once its optimized for the Endpoints.

PhoneBoy
Admin
Admin
‎2018-07-03 05:32 PM
In response to Steve_Lander

R80.20.M1 is available now and includes Endpoint Management.

The way I understand it is if you just use the domain (e.g. example.com) it applies for all hosts in that domain (e.g. host.example.com). 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events