Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PIN64
Explorer

Issues with Check Point Sandblast Agent for Browser and firefox

We have some unexpected and, for us, undesirable behavior since we updated our Endpoint Security client to version 83.20

In Firefox (latest build) when we attempt to download a file or visualize a PDF

(1) We are asked where to save the file (even if  it was a PDF and we chose to visualize it in Firefox)

(2) when we chose a destination, the download is started by the agent (and it is displayed by the agent), but when the download finishes we are again asked where do we want to save the file. The proposed folder is not related in any way to the path we had chosen before.

(3) If the file was a PDF, it is renamed to include the text "cleaned" (I find it difficult to believe that every PDF contains something to be "cleaned"

Is it an issue due to misconfiguration on our part or an expected behavior?

My understanding is that downloaded files would be run in a secure virtual environment and then downloaded.

 

Kind regards

Nadia

0 Kudos
3 Replies
Swordfish
Participant

When potentially malicious parts are removed from the file, the .cleaned extension is added by default. This can be a cleaned PDF or .docm. Docm will also be changed to a .docx filetype. If you have an appliance for emulation, there is a configuration to disable the .cleaned re-naming. I do not know, if you can change this, when using a cloud environment.

Have you tried to change the general Firefox settings? Change the download option from “Always ask you where to save files” to “Save files to” and select a download folder.

Sometimes a pdf gets downloaded before you can view it in your browser.

I don't think that this is a bug in the browser extension, but is there a reason, why you upgraded to E83.20 instead of E84.50? E84.50 is available for a few month now and the recommended version as well.

PIN64
Explorer

I understand the reason for the "cleaned" extension, but I find it difficult to believe that every PDF ha potentially malicious parts (a few, yes, all of them is not really believable).

Also, changing the Firefox behavior may be a workaround, but not an acceptable solution. Most users want to chose where they download content, not have it dumped in a folder and then have to move it. I have also observed that Microsoft Edge does not behave the same way (file are downloaded and inspected, but the only request to choose a destination is the one from the browser), so Firefox behavior it is at least inconsistent.

I know we are behind with versions, but we have to move slowly (very slowly) due to limited personnel and several active projects. We are trying to catch up.

0 Kudos
Swordfish
Participant

I replicated the download behavior. I changed my settings for ms edge and Firefox to "Always ask you where to save files". Right after clicking the download button I can choose a folder where I want to store the file as expected.

Now the SandBlast Agent Browser Plugin cleanse / emulates the file based on your policy. After that I have to chose again a folder where I want to save this file or if I just want to open it.

I think this is a normal behavior, because the second time I get asked is for a the cleaned version of the file, which is a different file that I wanted to download in the first place. And last but not least, if I want to download the original file from the plugin (not the .cleaned version), I have to choose a third time where I want to save this file.

0 Kudos