This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2018-11-29 02:50 AM
Jump to solution

False Positive on logs (Sandblast Agent) on BANKING Sites

Dear Team,

Setup:

Endpoint Server

OS: GAIA R77.30 with 143 hotfix and R77.30 Adds on package installed.

Client Package : E80.87

 

Blade Enabled:

 

1.Sandblast Agent Anti-Ransomware, behavioral guard and Forensics
2.Sandblast Agent Anti-Bot
3.Sandblast Agent Threat extraction and emulation

We use TE appliance for extraction and emulation (Local Emulation).

Scenario : We visit some banking sites where we able to access the websites and even we see the Sandblast agent extension popup show "Scanned Phishing verified by Zero Phishing"

Some are GOVT websites like IRCTC (railway sites of India) 

Some are BANKING Sites

BUT as we see on logs and find below result. 

This is completely unbelievable

Showing:-

Severity:03

Confidence Level: High

Protection Name: Deceptive site Detection

Protection Type: Phishing Prevention

Please HELP me to resolve the issue.

#Chinmaya Naik (INDIA)

0 Kudos
1 Solution

Accepted Solutions
Gal_Carmeli
Employee
Employee
‎2018-11-30 01:27 AM
Jump to solution

Hi,

The issue is a known bug in E80.87 and E80.88 in which the wrong log is sent in the case a potential phishing site was found to be benign.

The issue is fixed in E80.89 which will be released soon.

As a workaround, you can change the policy and disable the "Send log on each scanned site" on the Zero Phishing Settings. By that, logs will be sent only for sites that were found malicious, and this confusion will be avoided.

Here

Sorry for the inconvenience,,,

Gal.

View solution in original post

11 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-11-29 04:11 AM
Jump to solution

Sorry, but is do not fully understand the Issue: i read that you can use these sites successfully, but logs show phishing detected ? Or are the sites working no more ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin
‎2018-11-29 04:24 AM
In response to G_W_Albrecht
Jump to solution

I am at a loss too. The logs in the screenshot are not those for the website in question. What is the issue, actually?

0 Kudos
Chinmaya_Naik
Advisor
‎2018-11-29 04:37 AM
Jump to solution

Dear Günther and Valeri,

 

We able to access the banking sites without any issue but on the logs section, it showing phishing event and description site as banking sites. see the screenshot. (below logs for railway reservation sites)

0 Kudos
_Val_
Admin
Admin
‎2018-11-29 04:43 AM
In response to Chinmaya_Naik
Jump to solution

Open a case with TAC for that, please

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-11-29 04:45 AM
In response to Chinmaya_Naik
Jump to solution

Maybe not really very helpfull, but: Current GA Jumbo Take is Take_338 and used Take 143 is from 21. Apr 2016...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chinmaya_Naik
Advisor
‎2018-11-29 05:11 AM
Jump to solution

Ok, I will update the status once I installed the latest jumbo Take_338.

Thanks, Günther and Valeri Smiley Happy  thanks for the suggestion 

0 Kudos
_Val_
Admin
Admin
‎2018-11-29 05:32 AM
In response to Chinmaya_Naik
Jump to solution

Please keep us posted here about the results

0 Kudos
Chinmaya_Naik
Advisor
‎2018-11-29 08:48 PM
In response to _Val_
Jump to solution

Yes sure I will update

Or else do you think that  upgrade to R80.20 is resolve the problem.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-11-30 12:40 AM
In response to Chinmaya_Naik
Jump to solution

I would start with a small step and install the newer Jumbo Take first 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Gal_Carmeli
Employee
Employee
‎2018-11-30 01:27 AM
Jump to solution

Hi,

The issue is a known bug in E80.87 and E80.88 in which the wrong log is sent in the case a potential phishing site was found to be benign.

The issue is fixed in E80.89 which will be released soon.

As a workaround, you can change the policy and disable the "Send log on each scanned site" on the Zero Phishing Settings. By that, logs will be sent only for sites that were found malicious, and this confusion will be avoided.

Here

Sorry for the inconvenience,,,

Gal.

Chinmaya_Naik
Advisor
‎2018-12-05 08:24 AM
In response to Gal_Carmeli
Jump to solution

Thank you so much Gal  for this information

We will wait for the next E80.89 package and will update the status as well its work for us or not.

Thank you Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events