This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sitarz_T
Explorer
‎2020-11-25 04:30 AM

Exclude File from Web Downloads Protection

Hi, i have a question regarding the Sandblast web Download protection.

My Client tries to download some java applet file called "application.tmp"

The File is getting deleted because it "was found as malicious by checkpoint file reputation"

I already have whitelisted the Domain this file is coming from, but my client still cannot download it.
In the "Web Downloads Protection" Policy, there is an possibility to override the Action by file type, but since its not an "official" file type, there is no definition of .tmp files.

How can i whitelist this specific file download?

Thanks and Best Regards from Germany

 

0 Kudos
5 Replies
Gal_Carmeli
Employee
Employee
‎2020-11-30 02:52 AM

Hi,

Can you please share how exactly did you exclude? (please mention the exact values you placed in the management, and the exact fields on the management UI that you changed)

Also - can you please share details about the file? (the download link would be helpful if you have it, or just attach the file to this post)

Thanks,
Gal.

0 Kudos
Sitarz_T
Explorer
‎2020-12-03 04:19 AM

After playing around and some clarification i got the use-case wrong.

My Client does the following:
They Download an .exe from one of our distributors (self signed application, im not allowed to share it)
The .exe , after execution by an admin-user, unpacks a few files. those unpacked files are getting blocked by the Sandblast File reputation. Afterwards the .exe file gets deleted, but the unpacked files not. Sorry for that, by the time i have written this post i only had a screenshot which blocked the said "application.tmp".

In order to allow this, i now need to get a test-client. Download and execute it by myself. And get the sha1 signatures of every file unpacked by the downloaded .exe.
Then i need to add those sha1 signatures as exceptions.

i simply was hoping for an more comfortable way, because it felt wrong doing it like this.
further, i also could whitelist certain folders but i dont like the approach of whitelisting local folders, since this enables users to override the security features by executing stuff from a dedicated directory.  Is there a third approach im missing?

0 Kudos
Gal_Carmeli
Employee
Employee
‎2020-12-03 09:12 AM
In response to Sitarz_T

Hi,

you can also exclude the entire folder if you know where the temporary files will be written to.

But - if the issue is a false-positive, I would very much like to handle it and analyze the reason for it. Will you be able to provide me with a link to download that application? If not, can you share it with me? Assuming its benign, I can make sure the false positive is fixed and then you will not need to exclude anything...

Thanks,
Gal.

0 Kudos
Sitarz_T
Explorer
‎2020-12-04 06:29 AM
In response to Gal_Carmeli

Hi Gal, thanks for the Response.
i cannot provide a download link. But i can share the installation file with you.
can you provide something to upload it?

 

Thanks and BR

0 Kudos
Doron_Zuckerman
Employee
Employee
‎2020-12-06 03:43 AM
In response to Sitarz_T

Hi Sitarz_T,

Please upload the file here:

https://ftp.checkpoint.com/EFTClient/Account/Login.htm

user : SBAcustomer

pass : yqrfsE3x

Can you please ping me via email once you do (doronzu@checkpoint.com).

 

Thank you,

Doron.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events