This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Baggy
Contributor
‎2025-10-06 02:03 AM

Error logs in Threat Emulation

An event occurred in which an error log in threat emulation was output and files could not be downloaded or uploaded.
Emulation is running on ThreatCloud.

In the log, the reason for the error is explained as follows
Reason:Timeout was exceeded

I think one of the causes is that the emulation connnection handling mode of Threat Emulation is set to Maximum Prevention in the Profile setting of the Threat Prevention Policy.

Do you know the main cause?

37 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-11-10 06:30 PM
In response to Baggy

K, so been few months then. I would say you can try change those settings we mentioned yesterday.

Best,
Andy
0 Kudos
Baggy
Contributor
‎2025-11-10 06:35 PM
In response to the_rock

@the_rock 

I will change the timeout value in $FWDIR/conf/malware_config and verify whether the same issue occurs in my lab.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-10 06:37 PM
In response to Baggy

This issue never happens in my lab (its on R82 jumbo 44), so I will send you content of that file from both cluster and single gw managed by R82 mgmt server. Single gw is R82 and cluster is R81.20 version. Its night my time, so will send it in the morning.

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
‎2025-11-10 07:07 PM
In response to the_rock

@Baggy Im fairly positive content would be same on both R81.20 and R82, but will confirm, for sure.

Best,
Andy
0 Kudos
Baggy
Contributor
‎2025-11-10 11:23 PM
In response to the_rock

@the_rock 

I tested on R81.20.
No error output for “Reason: Timeout was exceeded” was found.
However, I have confirmed the following log entries:

R81.20
・Threat Prevention Advanced Settings
Resource Classfication mode:Hold
・Threat Prevention Profile Settings
Anti-Virus Settings
File Types Process all file types
Enable deep inspection scanning checked
Threat Emulation advanced settings
Emulation Connection Handling Mode:Maximum Prevention

・fw.log
------------------------------
Time: 2025-11-11T07:00:39Z
Interface Direction: inbound
Interface Name: eth1
Id: c0a801eb-81c7-e423-6913-5da7005c0000
Id Generated By Indexer: true
First: true
Sequencenum: 2
Client Type: Chrome
Service ID: https
Source: 192.168.1.195
Source Port: 58407
Destination: 104.21.47.248
Destination Port: 443
IP Protocol: 6
Log ID: 4000
Session Identification Number:0x0,0x0,0x0,0x0
Reason: Failed to process the file
Verdict: Error
Proxied Source IP: 192.168.1.195
Action: Detect
Type: Log
Policy Name: Standard
Policy Management: mgmt3
Db Tag: {1B633208-42C3-D444-89E6-98D5B57999B1}
Policy Date: 2025-11-11T06:57:25Z
Blade: Threat Emulation
Origin: mgmt3
Service: TCP/443
Product Family: Threat
Action: Inspect
Resource: https://files.testfile.org/ZIPC/60MB-Corrupt-Testfile.Org.zip
Log Server Origin: 192.168.1.235
Interface: eth1
Description: Threat Emulation

Time: 2025-11-11T07:00:39Z
Id: 7e16cd9f-ab70-2f20-39db-4a5d748e194a
Id Generated By Indexer: false
First: false
Sequencenum: 1
Log ID: 4000
Source: 192.168.1.195
Destination: 104.21.47.248
IP Protocol: 6
Source Port: 58407
Destination Port: 443
Threat Prevention Rule ID:F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD
Scope: 192.168.1.195
File Name: 60MB-Corrupt-Testfile.Org.zip
File Type: zip
File MD5: 6894f10dddc6562a107ea8e84a12f75e
File SHA-1: 83e470b4e7c4ebb1e2da13f749b99f7dfcbd7ccb
File SHA-256: 42559ecca7659e92ec038dc4cb8b3af1a2d93c03de88c4c4689e94bcd8b932b1
Verdict: Error
Analyzed On: Check Point Threat Cloud
Errors: File was not emulated on some of the operating systems. reason: archive: archive tool gets an error during extraction process. Win7,Office 2013,Adobe 11: archive tool gets an error during extraction process. WinXP,Office 2003/7,Adobe 9: archive tool gets an error during extraction process.
Determined By: Win7,Office 2013,Adobe 11: archive. WinXP,Office 2003/7,Adobe 9: archive.
Protection Type: HTTP Emulation
Severity: Informational
Confidence Level: N/A
Log Uid: 39DB4A5D-748E-194A-9FCD-167E202F70AB
Special Attack: 0
Action: Accept
Packet Capture: Packet Capture
Type: Log
Blade: Threat Emulation
Origin: mgmt3
Service: TCP/443
Product Family: Threat
File Size: 62914560
Log Server Origin: 192.168.1.235
Description: Threat Emulation
Description: Extracted files name:, /var/log/files_repository/Archive_Tool/8785455D-CDCA-49C6-B22F-D9325B260629/602351/archive_tool/tmp/3090fcc2-8fea-4a2c-9cf9-b798dd19b558/archives/{96BDA193-109B-1849-A784-4EED01EEECFF}, Extracted files type:, {96bda193-109b-1849-a784-4eed01eeecff}, Extracted files sha1:, Extracted files verdict:, Damaged
------------------------------

・/opt/CPsuite-R81.20/fw1/log/tp_failures.elg
------------------------------

Time:11/11 16:00:58; Inst:2; Conn:dir 0, 192.168.1.195:58407 -> 104.21.47.248:443 IPP 6; Session:100; App:CI_AV; Last Buffer Seen:1; rule_id:1; profile_id:1; AV Performed Hold:15:59:37; TE Performed Hold:15:59:37; Accumulated File Size:62914560; RAD Cache Miss:1; RAD Performed Hold:15:59:37; File Type ID:7204; File MD5:6894f10dddc6562a107ea8e84a12f75e; RAD Async Response Time:15:59:38; RAD Verdict:ACCEPT; Flexible Hold:1; TE Async Response Time:15:59:39; TE Verdict:NONE; AV Async Response Time:15:59:39; AV Verdict:NONE; TE Async Response Time:16:00:39; TE Verdict:NONE; Action None From US Failure:1; Fail-Open:1; Session ended with error:1; av_handler:ffffc90051ca97e0; Final Action:ACCEPT; Final Async Action Time:16:00:39; Strict Hold Start Sending File:1;

Time:11/11 16:03:31; Inst:0; Conn:dir 0, 192.168.1.195:58564 -> 18.172.52.34:443 IPP 6; Session:157; App:CI_AV; File Name:20251111064927035688; IFI Max File Size Exceeded:1; Content-Length:25622537; Strict Hold:1; Last Buffer Seen:1; rule_id:1; profile_id:1; AV Performed Hold:16:03:24; TE Performed Hold:16:03:24; Accumulated File Size:25622537; RAD Cache Miss:1; RAD Performed Hold:16:03:24; File Type ID:7204; File MD5:ec0aeb2e40fdec70a17675998a0015b4; RAD Async Response Time:16:03:24; RAD Verdict:ACCEPT; TE Async Response Time:16:03:25; TE Verdict:NONE; TE Async Response Time:16:03:25; TE Verdict:ACCEPT; AV Async Response Time:16:03:25; AV Verdict:NONE; Action None From US Failure:1; Fail-Open:1; Session ended with error:1; av_handler:ffffc900617e0d00; Final Action:ACCEPT; Final Async Action Time:16:03:25; Strict Hold Start Sending File:1;
------------------------------

regards,
Baggy


0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-11 03:29 AM
In response to Baggy

I should be able to get all this info for you soon from my lab, will put it all in notepad++ and attach.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-11 04:12 AM
In response to the_rock

@Baggy 

Here is the file I promised with values in R81.20 and R82. To me, looks same as what you have, but I would still try increase them.

Best,
Andy
Preview file
14 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-11 05:31 PM
In response to the_rock

@Baggy Let me know please if changing those values helps. Needless to say, just to be on the safe side, please have a backup beforehand. Hope it helps, but if not, I can do some more checks in the lab.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events