Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Katelyn_Eubanks
Contributor

Endpoint threat extraction and emulation issue with temp directory

Hello,

We have two programs that sandblast threat extraction and emulation blade seems to be interfering with certain functions. For instance, when using one of these two programs the end user wants to generate a report and download as a .pdf. When initiated it seems the program attempts to start creating the .pdf and then never actually created the .pdf document. We have tested with shutting off blades and determined that it has to do with two things: First is that the endpoint keeps hold of the temp directory so that users cannot access within another program because it will state that the program is already being used by another program, i.e Word, Adobe. The second issue is that we have to turn off emulate files written to the file system and then it will generate the .pdf documents and print just fine. Has anyone else ever experience this? We have whitelisted both programs and processes that seem to run and it makes no difference. Checkpoints solution was to shut off the emulate part but that is a vital part of the endpoint client. Server R77.30, endpoint 80.85.

7 Replies
PhoneBoy
Admin
Admin

What was the SR for this, if any?

0 Kudos
Katelyn_Eubanks
Contributor

3-0487456011

0 Kudos
PhoneBoy
Admin
Admin

I'm curious why, if the issue was not resolved, that the case was not reopened?

Also it looks like you were testing this against E80.83 and we're up to E80.88 now in terms of client versions.

Have you tried this with a later version?

Katelyn_Eubanks
Contributor

The ticket was "resolved" on the checkpoint side by simply having us shut off the file emulation portion of the blade which is not a long term solution. We have moved to 80.85 since that ticket but not 80.88. I will have to test with 80.88 and investigate. 

PhoneBoy
Admin
Admin

Just to confirm, there was a related bug we fixed in E80.88.

If you're still having issues in E80.88 or above, please open a new support ticket so we can investigate.

0 Kudos
Shahar_Grober
Advisor

I had similar issues with E80.87 and outlook temp folder while SBA and Anti-Exploit are running. It looks like the SBA is creating some violations by holding files written to the Temp directory. It was solved by upgrading to E80.87.9201 

from E80.87 What's new:

"Resolves a sharing violation issue in Threat Emulation. Resolves scenarios where applications that try to access a file with exclusive access rights fail due to a Threat Emulation inspection of the file. This also resolves the issue to save documents in PDF format."

Katelyn_Eubanks
Contributor

Thank you, with the update to machines using the 80.88 version its seems that the issue is resolved.Hopefully when we update the rest of our fleet we will see that the 80.88 client is still the solution. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events