This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PIN64
Explorer
‎2020-07-02 08:40 AM

Web page evaluated twice

Our company use Endpoint Security E82.10 and I have an unusual behavior.

We use a batch file calling Internet Explorer to access a web page on an internal IIS web server and trigger an update .

The command in the DOS batch file is

Start "" "%ProgramFiles%\Internet Explorer\iexplore.exe" "http://servername.dom.net/page.aspx

Since we installed Endpoint Security the update is triggered twice and looking into IIS log I can confirm that the page is read twice.

If I remove Endpoint Security everything goes back to normal.

I would like to set up an exception, but I am unable to identify which blade is responsible for this. 

I suspect it's Threat Emulation and Anti Exploit, but my attempt to create an exclusion for the website has been ineffective.

Any suggestion on the cause or a resolution?

 

Thanks in advance

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2020-07-02 02:24 PM

When you say "triggered twice" what do you precisely mean?
Does IE open up twice?
Are there corresponding Endpoint logs?
0 Kudos
PIN64
Explorer
‎2020-07-03 02:18 AM
In response to PhoneBoy

The DOS batch file is executed as a Windows Scheduled task and it runs once.

Within the batch file there is the call to execute Internet Explorer to open a web page. As far as I can see, Internet Explorer is opened once. I have the same problem running the Internet Explorer line in a command prompt, so I don't think the scheduled task is a factor.

When I look into IIS logs, I see one "get" command at the time of execution, but the ASPX page is executed twice.

The webpage executes a command and mails a result. I receive the result twice

I don't know which Endpoint logs to examine, but a "dumb" search for the URL in the logs folders found the URL in the log sandblast_logs.log and in efr.db (I know this is not a log file, but it was a dumb search)

This an example of the log content

[03/07 11:07:27.191:001] IE_API (8792:1) Registered to IE events
[03/07 11:07:27.191:002] IE_API (8792:1) OnBeforeNavigate: New url = http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory, flags = 256, frame = , Prev url = , hashcode = 43942917
[03/07 11:07:27.206:003] IE_API (8792:1) SandBlast.isExcludedDomain(): excluded domains:
[03/07 11:07:27.206:004] IE_API (8792:1) SandBlast.isExcludedDomain(): domain didn't match any exclusion: servername.dom.net
[03/07 11:07:27.253:005] IE_API (8792:1) SandBlast.OnBeforeNavigate(): navigating to about:blank
[03/07 11:07:27.253:006] IE_API (8792:1) OnBeforeNavigate: New url = about:blank, flags = 256, frame = , Prev url = , hashcode = 43942917
[03/07 11:07:27.253:007] IE_API (8792:1) Checking if background is up
[03/07 11:07:27.269:008] IE_API (8792:1) Background does not exist
[03/07 11:07:27.878:001] IE_API (9520:1) Registered to IE events
[03/07 11:07:27.987:002] IE_API (9520:1) OnBeforeNavigate: New url = sandblast://data/background_runner.html, flags = 256, frame = , Prev url = , hashcode = 43942917
[03/07 11:07:27.987:003] IE_API (9520:1) OnBeforeNavigate: END
[03/07 11:07:28.097:004] IE_API (9520:1) OnNavigateComplete: sandblast://data/background_runner.html
[03/07 11:07:28.097:005] IE_API (9520:1) Hiding background window
[03/07 11:07:28.128:009] IE_API (8792:1) OnBeforeNavigate: END
[03/07 11:07:28.175:006] IE_API (9520:1) ieInstance_DocumentComplete: sandblast://data/background_runner.html
[03/07 11:07:28.237:007] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Background registration pipe ReadLoop thread started for .CP_SBA4B_PIPE_DOM_!Backup
[03/07 11:07:28.253:008] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Waiting for next tab registration
[03/07 11:07:28.300:010] IE_API (8792:1) OnNavigateComplete: about:blank
[03/07 11:07:28.316:011] IE_API (8792:1) ieInstance_DocumentComplete: about:blank
[03/07 11:07:28.362:012] PIPES (8792:1) IeClientPipe.ConnectToBackground(): Creating communication pipe .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_
[03/07 11:07:28.362:013] PIPES (8792:1) IeClientPipe.ConnectToBackground(): Setting low integrity level
[03/07 11:07:28.362:014] PIPES (8792:1) IeClientPipe.TryRegisterPipeOnBackground(): Connecting to background
[03/07 11:07:28.362:015] PIPES (8792:1) IePipe.IsOtherSideOk(): pipeProcessPath = c:\program files (x86)\internet explorer\iexplore.exe ieProcessPath = c:\program files (x86)\internet explorer\iexplore.exe
[03/07 11:07:28.362:016] PIPES (8792:1) IeClientPipe.TryRegisterPipeOnBackground(): Registering .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_ in background
[03/07 11:07:28.362:017] PIPES (8792:1) IeClientPipe.ConnectToBackground(): Waiting for background connection to tab communication pipe
[03/07 11:07:28.362:009] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Tab registration message received, message = .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_,about:blank
[03/07 11:07:28.378:019] PIPES (8792:1) IeClientPipe.ConnectToBackground(): Connection established from .CP_SBA4B_PIPE_DOM_!Backup to .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_
[03/07 11:07:28.378:018] PIPES (8792:1) IePipe.IsOtherSideOk(): pipeProcessPath = c:\program files (x86)\internet explorer\iexplore.exe ieProcessPath = c:\program files (x86)\internet explorer\iexplore.exe
[03/07 11:07:28.378:020] PIPES (8792:5) (8792:1) IeClientPipe.ConnectToBackground(): Communication ReadLoop thread spawned by tab
[03/07 11:07:28.362:010] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Tab registration complete
[03/07 11:07:28.362:011] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Waiting for next tab registration
[03/07 11:07:28.378:012] PIPES (9520:3) (9520:1) IeServerPipe.Listen(): Communication ReadLoop thread spawned by background
[03/07 11:07:28.378:013] PIPES (9520:3) (9520:1) IeServerPipe.Listen(): Connecting to tab communication pipe .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_
[03/07 11:07:28.409:021] IE_API (8792:1) ieInstance_BeforeScriptExecute: about:blank
[03/07 11:07:28.425:022] IE_API (8792:1) ieInstance_DocumentComplete: navigating back to http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory on frame
[03/07 11:07:28.425:023] IE_API (8792:1) OnBeforeNavigate: New url = http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory, flags = 256, frame = , Prev url = about:blank, hashcode = 43942917
[03/07 11:07:28.425:024] IE_API (8792:1) Checking if background is up
[03/07 11:07:28.425:025] IE_API (8792:1) OnBeforeNavigate: END
[03/07 11:07:28.441:014] ERROR (9520:1) callJsMethodRunner: HRESULT = Unknown name (0x80020006), method = cs_ie_send_message_invoked, args: %7B%22command%22%3A%22content_script_load%22%2C%22content_script_id%22%3A%2221da056f%22%7D, .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_, %7B%22mID%22%3A0%2C%22title%22%3A%22%22%2C%22url%22%3A%22about%3Ablank%22%7D
[03/07 11:07:30.894:026] IE_API (8792:1) OnNavigateComplete: http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory
[03/07 11:07:30.956:027] IE_API (8792:1) ieInstance_DocumentComplete: http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory
[03/07 11:07:30.972:028] IE_API (8792:1) ieInstance_BeforeScriptExecute: http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory
[03/07 11:07:31.003:015] ERROR (9520:1) callJsMethodRunner: HRESULT = Unknown name (0x80020006), method = cs_ie_send_message_invoked, args: %7B%22command%22%3A%22content_script_load%22%2C%22content_script_id%22%3A%223b0fa9b5%22%7D, .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_, %7B%22mID%22%3A0%2C%22title%22%3A%22NextOne%20Cron%20Execution%22%2C%22url%22%3A%22http%3A%2F%2Fservername.dom.net%2Fcron.aspx%3Flang%3Den%26job%3Dsync-active-directory%22%7D

I hope this answer your questions

 

0 Kudos
MikeB
Advisor
‎2020-07-03 07:14 AM
In response to PIN64

As far I can tell, the exclusion is not being applied to your domain.

How did you apply the exclusion? I recommend not to use wildcards but the exact domain.

In my case the SBA Extension did not apply the exclusions well if I use wildcards in the domain excluded.

image.png

0 Kudos
PIN64
Explorer
‎2020-07-06 03:45 AM
In response to MikeB

The problem may be that I did not put the exception in the right place.

Where should I define the exception, in theSandBlast Agent Threat Extraction, Emulation and Anti-Exploit settings? And "domain" can be the FQDN name of the web server?

 

0 Kudos
MikeB
Advisor
‎2020-07-06 08:10 AM
In response to PIN64

Yes. The exclusion should be applied in  the following place:

image.pngimage.png

0 Kudos
PIN64
Explorer
‎2020-07-06 11:57 PM
In response to MikeB

I made the change you suggested, but still the pages are executed twice and it says domain doesn't match any exclusion

[07/07 05:00:08.432:001] IE_API (6416:1) Registered to IE events
[07/07 05:00:08.448:002] IE_API (6416:1) OnBeforeNavigate: New url = http://welcome.mydomain.com/cron.aspx?lang=en&job=visits-gdpr, flags = 256, frame = , Prev url = , hashcode = 43942917
[07/07 05:00:08.448:003] IE_API (6416:1) SandBlast.isExcludedDomain(): excluded domains:
[07/07 05:00:08.448:004] IE_API (6416:1) SandBlast.isExcludedDomain(): domain didn't match any exclusion: welcome.mydomain.com
[07/07 05:00:08.651:005] IE_API (6416:1) SandBlast.OnBeforeNavigate(): navigating to about:blank
[07/07 05:00:08.651:006] IE_API (6416:1) OnBeforeNavigate: New url = about:blank, flags = 256, frame = , Prev url = , hashcode = 43942917

 

I put welcome.mydomain.com in the exclusions and verified the policy was updated on the client.

I don't understand why it would not be recognized.

 

0 Kudos
MikeB
Advisor
‎2020-07-07 03:22 PM
In response to PIN64

Have you tried just with mydomain.com in the exclusions??
0 Kudos
PIN64
Explorer
‎2020-07-08 12:01 AM
In response to MikeB

I am reluctant to do this because it would include some sites that are not hosted internally, but I will make an attempt.

0 Kudos
PIN64
Explorer
‎2020-07-08 12:15 AM
In response to PIN64

I have tested the policy with the exclusion for the domain and it is still ignored/not recognized.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-08 06:51 AM
In response to PIN64

Best to open a TAC case so we can investigate what's happening.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top