This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SubZer0
Collaborator
a month ago
Jump to solution

Issue with MTA and Threat Emulation Engine Release - Password Protected Archives Not Being Blocked

I have detected an issue with MTA and Threat Emulation. Password-protected archive attachments are no longer being blocked as expected.During debugging, I noticed that running cat $FWDIR/teCurrentPack/te_ver.ini returns version 60.990002419. However, according to sk95235, the latest available version should be 60.990002351.

It appears that the installed engine version is higher than what is officially listed, and this might be related to the failure in blocking encrypted archives.

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
4 weeks ago
In response to SubZer0
Jump to solution

If you already have the necessary config per sk112821 please open a TAC SR and share the details so I can loop in the necessary folk.

CCSM R77/R80/ELITE

View solution in original post

11 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
a month ago
Jump to solution

Are you saying malicious archives aren't being blocked or are you expecting _all_ password protected archives to be blocked - what is your configuration?

Please raise a case with TAC to investigate as appropriate.

CCSM R77/R80/ELITE
SubZer0
Collaborator
a month ago
In response to Chris_Atkinson
Jump to solution

All password protected archives to be blocked.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
a month ago
In response to SubZer0
Jump to solution

Make sure you share the following outputs with TAC:

[Expert@HostName:0]# tecli advance archive show

[Expert@HostName:0]# tecli advance error show

CCSM R77/R80/ELITE
SubZer0
Collaborator
4 weeks ago
In response to Chris_Atkinson
Jump to solution

tecli advance archive show

Encrypted archives feature is: enabled

tecli advance error show

file_max_size error File exceeds size limit
archive_max_files error Max number of files in archive reached
archive_pass_protected fail_close Password protected archives cannot be emulated
archive_extraction error Archive extraction error
doc_pass_protected continue Password protected document
archive_mime_type_mismatch continue Extension indicates an archive, but MIME type is unsupported.
unsupported_file_type error Unsupported file type
archive_max_decompression_rate_limit fail_close Max decompression rate limit reached in archive, file is suspected to be an archive bomb.
file_type_mismatch continue Extension indicates a specific file type, but MIME type shows a different type.

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
a month ago
In response to SubZer0
Jump to solution

Definitely do share what Chris gave. I recall TAC asking for those before.

Best,
Andy
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
4 weeks ago
In response to SubZer0
Jump to solution

If you already have the necessary config per sk112821 please open a TAC SR and share the details so I can loop in the necessary folk.

CCSM R77/R80/ELITE
SubZer0
Collaborator
4 weeks ago
In response to Chris_Atkinson
Jump to solution

The system was working fine, but it stopped working suddenly without any changes being made. I’ve already applied the settings according to sk112821, but it’s still not working.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
4 weeks ago
In response to SubZer0
Jump to solution

Definitely open TAC case then, as Chris suggested.

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
a month ago
Jump to solution

Hey mate,

Please keep us posted how this gets solved. Had customer today ask me something very similar.

Best,
Andy
0 Kudos
SubZer0
Collaborator
2 weeks ago
In response to the_rock
Jump to solution

TAC case was send to R&D engineer.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
4 weeks ago
Jump to solution

Hey mate,

I would just follow what Chris suggested, he isa excellent. Im sure he will assist you offline with this if needed.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events