This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
Mentor
Mentor
‎2020-06-04 12:55 AM

EICAR in ZIP archive

I cannot get our firewall to detect this URL:

https://s3-eu-west-1.amazonaws.com/cp-chk-files/e.zip

It is ZIP-ed EICAR used in CheckMe and I think the problem is coming from the fact that IPS does not inspect ZIP archives and Anti-Virus is not detecting EICAR at all.

HTTPS Inspection and AV archive scanning are enabled.

For example this one is detected without any problems:

http://s3-eu-west-1.amazonaws.com/cp-chk-files/win7_64bit_big.zip

Are my observations correct or am I doing something wrong ?

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2020-06-04 02:30 AM

Do you have HTTPS Inspection on and appropriate AVI rule configured?

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-04 02:41 AM
In response to _Val_

Yep, already mentioned it in my post. 

0 Kudos
_Val_
Admin
Admin
‎2020-06-04 02:59 AM
In response to HristoGrigorov

Yes you did, missed that. I guess it worth taking this with TAC then

0 Kudos
Wolfgang
Authority
Authority
‎2020-06-04 04:55 AM

@HristoGrigorov 

got it detected....

eicar_block.png

Wolfgang

HristoGrigorov
Mentor
Mentor
‎2020-06-04 04:59 AM
In response to Wolfgang

Thank you, must be a configuration issue at my side then.

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-04 05:35 AM
In response to HristoGrigorov

I think I found what the problem is.

I have HTTPS bypass for an Updatable Object that resolves to the same IP as the server that is hosting this archive.

I suspect it is one of Zoom, Webex or Skype for Business ones.

0 Kudos
_Val_
Admin
Admin
‎2020-06-04 12:12 PM
In response to HristoGrigorov

could be the case

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events