This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PIN64
Explorer
‎2021-08-02 02:48 AM

Issues with Check Point Sandblast Agent for Browser and firefox

We have some unexpected and, for us, undesirable behavior since we updated our Endpoint Security client to version 83.20

In Firefox (latest build) when we attempt to download a file or visualize a PDF

(1) We are asked where to save the file (even if  it was a PDF and we chose to visualize it in Firefox)

(2) when we chose a destination, the download is started by the agent (and it is displayed by the agent), but when the download finishes we are again asked where do we want to save the file. The proposed folder is not related in any way to the path we had chosen before.

(3) If the file was a PDF, it is renamed to include the text "cleaned" (I find it difficult to believe that every PDF contains something to be "cleaned"

Is it an issue due to misconfiguration on our part or an expected behavior?

My understanding is that downloaded files would be run in a secure virtual environment and then downloaded.

 

Kind regards

Nadia

0 Kudos
3 Replies
Swordfish
Contributor
‎2021-08-02 04:19 AM

When potentially malicious parts are removed from the file, the .cleaned extension is added by default. This can be a cleaned PDF or .docm. Docm will also be changed to a .docx filetype. If you have an appliance for emulation, there is a configuration to disable the .cleaned re-naming. I do not know, if you can change this, when using a cloud environment.

Have you tried to change the general Firefox settings? Change the download option from “Always ask you where to save files” to “Save files to” and select a download folder.

Sometimes a pdf gets downloaded before you can view it in your browser.

I don't think that this is a bug in the browser extension, but is there a reason, why you upgraded to E83.20 instead of E84.50? E84.50 is available for a few month now and the recommended version as well.

PIN64
Explorer
‎2021-08-02 11:32 PM
In response to Swordfish

I understand the reason for the "cleaned" extension, but I find it difficult to believe that every PDF ha potentially malicious parts (a few, yes, all of them is not really believable).

Also, changing the Firefox behavior may be a workaround, but not an acceptable solution. Most users want to chose where they download content, not have it dumped in a folder and then have to move it. I have also observed that Microsoft Edge does not behave the same way (file are downloaded and inspected, but the only request to choose a destination is the one from the browser), so Firefox behavior it is at least inconsistent.

I know we are behind with versions, but we have to move slowly (very slowly) due to limited personnel and several active projects. We are trying to catch up.

0 Kudos
Swordfish
Contributor
‎2021-08-03 02:47 AM
In response to PIN64

I replicated the download behavior. I changed my settings for ms edge and Firefox to "Always ask you where to save files". Right after clicking the download button I can choose a folder where I want to store the file as expected.

Now the SandBlast Agent Browser Plugin cleanse / emulates the file based on your policy. After that I have to chose again a folder where I want to save this file or if I just want to open it.

I think this is a normal behavior, because the second time I get asked is for a the cleaned version of the file, which is a different file that I wanted to download in the first place. And last but not least, if I want to download the original file from the plugin (not the .cleaned version), I have to choose a third time where I want to save this file.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events