Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copper

Anti-Virus log prompt: "background classification mode was set"

Dear 

FW:23500     Version:R80.10       Hotfix:R80_10_JUMBO_HF_Bundle_T56_sk11638

I have set hold mode,refer to screenshots below:

TP configuration as follow:

But the log shows as follow:

Description:

                  Connection was allowed because background classification mode was set. See sk74120 for more information.

"loop.sawmilliner.com" is a C2 and malware site,as follow:

I have set classification mode to hold,why still show "background classification mode was set"

Thanks!

10 Replies
Highlighted
Admin
Admin

You are looking to the wrong Software Blade. Threat Prevention is for downloads. For Site classification, you need AC and URL Filtering to be changed.  

Highlighted
Copper

Thanks,but log match anti-virusblade.This behavior is in the DNS request phase.Can't it be blocked by tp at the DNS request stage?

Highlighted
Sapphire

Look here:

0 Kudos
Highlighted
Copper

Thanks,I will try it.

Highlighted

Hi,

I have the same issue. I have put the URL filtering setting to Hold mode but still i am getting same logs of "It is allowed because background classification mode was set" in the logs.

0 Kudos
Highlighted

Was this ever resolved? I am facing the exact same issue. Thanks.

Highlighted
Ivory

I am also facing same issue. anyone has an idea?

Highlighted

I have a customer with this same issue.  Does Check Point have a configuration fix for this or is this a bug?

0 Kudos
Highlighted

Hello, same issue here, any news about it?

0 Kudos
Highlighted

Isn't this because Checkpoint changed how DNS classification occurs? So check out:

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Even though in your policy you've set Hold that will be relevant only for http, smtp, and smb. DNS will still be in background mode for optimization purposes. You'd have to manually change that in you malware_config file on the gateway if you want DNS to be in Hold mode as well.

I think what you are seeing here is normal based on the log you showed as this was a DNS query that got bypassed.

0 Kudos