Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ravoth
Participant

URLs of Google and Microsoft (windowsupdate.com and gvt1.com)

Hello team,

We are facing an issue with Threat Emulation which detected URLs belong to Google and Microsoft (windowsupdate.com and gvt1.com) that checkpoint classified it as malicious or threat. Why Checkpoint detect it as malicious or a threat? Please kindly help us to resolve this issue.

Threat Emulation - Microsoft URLThreat Emulation - Microsoft URL

 

Thanks in advance!

Ravoth

Ravoth
0 Kudos
3 Replies
PhoneBoy
Admin
Admin

In that log message, it says the file that was downloaded was a forbidden type.
Has nothing to do with where it came from.
You should be able to just the Threat Prevention profile accordingly to allow it or add an exception.
Do you have other examples?

0 Kudos
Ravoth
Participant

Dear PhoneBoy,
First of all, we would like to know whether the domain/URL is belong to Microsoft and Google or not. If it really belongs to them why checkpoint detected it as malicious or threat or is it really malicious? Please advise us what we can do to not let checkpoint detected as malicious if it is the legit file. We have checked the domain on whois and X-force Exchange, it says belongs to Microsoft and Google.

Thank you!
This is an example of a Google update and Windows Update.
Google Update - RedirectedGoogle Update - Redirected
Threat Emulation - Windows UpdatedThreat Emulation - Windows Updated
 
 
 
Ravoth
0 Kudos
PhoneBoy
Admin
Admin

I assume Google and Microsoft respectively own the domains because that's what their WHOIS records say.

The Google update has nothing to do with where it came from, but your Threat Prevention profile, as I said with the previous example.
You probably have a rule blocking .EXE files and that message is consistent with that.

The Microsoft update is probably a false positive.
You can work around it with an exception, but I recommend engaging with the TAC.

0 Kudos