Solved: Re: Block .lzn file extension in MTA Blade

SubZer0

I would like to block the .lzh file extension in MTA Blade. When I go to the settings, this extension is not listed, even though SK106123 https://support.checkpoint.com/results/sk/sk106123 states that Check Point supports it.

Does this extension need to be added manually or configured additionally in the firewall?

Chris_Atkinson

Are you sure?

CCSM R77/R80/ELITE

View solution in original post

Vincent_Bacher

You are talking about te blade, right?

Which release are you using?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

SubZer0

I am using MTA blade: 81.20.991002020 https://support.checkpoint.com/results/sk/sk123174

Vincent_Bacher

I don't mean to be pedantic, but MTA is a feature, not a blade.

The question was relevant since you linked to a Threat Emulation SK.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock

Im fairly sure I know setting you are referring to, but screenshot would help confirm.

Best,
Andy

SubZer0

the_rock

Let me check it in the lab, but yea, thats it.

Best,
Andy

the_rock

Just verified, tested R82 lab as well. file not listed. Wish those files extensions can be sorted alphabetically, but either way, its not present.

Best,
Andy

SubZer0

Is it possible to add manually?

the_rock

Does not appear to be the case, cant find that option anywhere.

Best,
Andy

Vincent_Bacher

When I was still working intensively with it, I always had to be careful not to constantly confuse TE and TX, so I just remembered that there was an SK for TX where you could enable new file extensions via scrub configuration and add new extensions, while you had to submit a request for new file types for TE.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock

Good point Vince.

Best,
Andy

Chris_Atkinson

Note that you are looking at AV protections here and not TE.

The extension not being there doesn't imply that TE will take no action on malicious files.

Start here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

CCSM R77/R80/ELITE

the_rock

Just checked Chris, still not even there.

Best,
Andy

Chris_Atkinson

Are you sure?

CCSM R77/R80/ELITE

the_rock

Yea, I know its there, I was referring to TP profile settings, its definitely not there.

Best,
Andy

the_rock

Apologies Chris, I see it worked now in the lab. I made sure lzh extension was enabled in blade settings, pushed policy and then it came up in the profile.

Best,
Andy

SubZer0

Thank you all for your cooperation. However, I still have an open question.

Is it possible to block attachments with the .lzh file extension on the MTA?

Under Threat Prevention → Threat Emulation, I have the .lzh extension enabled.

However, when I go to Threat Prevention → Threat Extraction → Configure File Type Support, the .lzh extension is not listed.

The same extension is also not available under Profiles → Anti-Virus, where it would otherwise be possible to block the file type.

the_rock

Keep in mind, those are 2 separate blades.

Best,
Andy

SubZer0

I understand that Threat Emulation has this capability and Threat Extraction does not.
However, is it possible to add this functionality to Threat Extraction?

the_rock

If its listed in the file list, then you can try add it.

Best,
Andy

SubZer0

Yes but how can I add it?

Vincent_Bacher

There was an old SK
sk112240 - How to add support for new file types in Threat Extraction
But newer releases are not listed and no clue how it's done nowadays.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

PhoneBoy

I didn't see the relevant files in R82.
Sounds like it might be worth a TAC case, referencing sk112240.

Are you a member of CheckMates?

Block .lzn file extension in MTA Blade