- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hello anybody,
I want to configure YARA signatures for simple PDF detections in my lab environment (R81.10 GW and SMS) using sk123156.
As said in sk I enabled feature:
tecli advanced yara set status 1
Created simple yar rule in $FWDIR/conf/yara/custom_rules/:
rule PDF_detect
{
meta:
Description = "Detect pdf document YARA"
protectionTypes = "classification"
strings:
$str = {25504446}
condition:
$str at 0x00
}Compile yar rule and in logs I see nothing when I try to download pdf files.
Also in sk mentioned: "you should see this rule in every malicious file report".
I tried create malicious pdf file with reverse tcp in kali linux using "setoolkit" utility, temporary placed evil pdf in some cloud share service, than download from link using PC behind GW.
After this actions in logs I see some Detects with Prevent reaction, but for IPS, not Threat Emulation:
I tried to disable IPS blade at all so that only Threat Emulation was enabled, but in logs I seen same Prevent with IPS..
Could anybody explain me how should yara work?
Which report should display yara match's?
Thank you in advance!
| User | Count |
|---|---|
| 29 | |
| 12 | |
| 11 | |
| 9 | |
| 8 | |
| 7 | |
| 6 | |
| 6 | |
| 6 | |
| 5 |
Tue 12 May 2026 @ 10:00 AM (CEST)
The Cloud Architects Series: Check Point Cloud Firewall delivered as a serviceWed 13 May 2026 @ 11:00 AM (EDT)
TechTalk: The State of Ransomware Q1 2026: Key Trends and Their ImpactThu 14 May 2026 @ 07:00 PM (EEST)
Under the Hood: Presentando Check Point Cloud Firewall como ServicioTue 12 May 2026 @ 10:00 AM (CEST)
The Cloud Architects Series: Check Point Cloud Firewall delivered as a serviceTue 19 May 2026 @ 06:00 PM (IDT)
AI Security Masters E8 - Claude Mythos: New Era in Cyber Security
