cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

MTA Threat Extraction / Emulation Workflow ?

Hi all,

I was looking for documentation about the workflow about the Threat Extraction and Emulation when used with MTA and couldn't find it.

So when an E-Mail arrives, what will be done first and what exactly will then be processed etc.

A visible workflow would help to understand how the System processes incoming E-Mails.

So what happens if we already have a file in the Cache, what happened with the Reputation of an Attachement and how is the verdict decision done?

It would be helpful if someone has any links or documents to answer this...

Thanks,

Peter

11 Replies

Re: MTA Threat Extraction / Emulation Workflow ?

0 Kudos
Highlighted

Re: MTA Threat Extraction / Emulation Workflow ?

Hi Günther,

Thanks for your reply and links, very interesting but only focused on the MTA Flow.

What I need is an overview what exactly is Happening when the E-Mail is arriving at the Threat Emulation / Extraction.

So as example: Incoming E-Mail - links in Body? - yes: do Threat Emulation - Malicious links included? - yes: Threat Emulation of the links or for Threat Extraction: Incoming E-Mail - is filetype active? - yes: Threat Extraction according Settings - verdict decision? etc...

A complete overview what exactly is Happening would answer the customers question how an E-Mail is exactly proceeded...

0 Kudos

Re: MTA Threat Extraction / Emulation Workflow ?

Then you must consult sk114806 ATRG: Threat Emulation - as you did study the Threat Prevention Administration Guide R80.10 already...

0 Kudos

Re: MTA Threat Extraction / Emulation Workflow ?

Thanks Günther,

Interesting document, (7) Emulation Workflow does give the needed Information about the workflow.

I'm still searching now the doc for Threat Extraction...

0 Kudos

Re: MTA Threat Extraction / Emulation Workflow ?

0 Kudos

Re: MTA Threat Extraction / Emulation Workflow ?

Hi Peter,

I recently wrote a document that gives an overview of content inspection. It's not exactly what you're looking for. But maybe this will help you to understand how content inspection works. But I still have to finish the MTA part.

R80.x Security Gateway Architecture (Content Inspection)

This document describes the content inspection in a Check Point R80.10 and above gateways. Context Management Infrastructure (CMI) is the "brain" of the content inspection and use more different modules (CMI Loader, PSL vs. PXL, Protocol Parsers, Pattern Matcher, Protections and new in R80.10 NGTP Architecture) for content inspection.

R80.x Security Gateway Architecture (Logical Packet Flow)

This document describes the packet flow (partly also connection flows) in a Check Point R80.10 and above with SecureXL and CoreXL, Content Inspection, Stateful inspection, network and port address translation (NAT), MultiCore Virtual Private Network (VPN) functions and forwarding are applied per-packet on the inbound and outbound interfaces of the device. There should be an overview of the basic technologies of a Check Point Firewall. We have also reworked the document several times with Check Point, so that it is now finally available.

Regards

Heiko

Re: MTA Threat Extraction / Emulation Workflow ?

Hi all,

Hi Heiko Ankenbrand‌,

Thank you very much fpr your feedbacks, I appreciate it!

Heiko's documents are great, with all the peacec of information I think I can construct an answer for this question.

It would be great if check point would create such a documentation about this...

Thanks,

Peter

0 Kudos

Re: MTA Threat Extraction / Emulation Workflow ?

Hello again,

According to the customer sometimes an incoming mail is NOT sent to Emulation AND Extraction.

I did some tests today and it seems really a strange behavior.

For the test I sent 3 E-Mails, 1 with only *.zip (text files), 2 with only *.pdf, 3 with both *.zip (text files) and *.pdf.

E-mail 1: Only Emulation is done according log.

E-Mail 2: Only Extraction is done according log.

E-Mail 3: Extraction and Emulation is done.

According to all the documents a receiving E-Mail should be sent to both Extraction AND Emulation.

So why do I not see this in the logs???

0 Kudos

Re: MTA Threat Extraction / Emulation Workflow ?

That all depends on the configuration - according to document type, the flow can be different, so you can say nothing without knowing the detailed configuration of TE / TX !

0 Kudos

Re: MTA Threat Extraction / Emulation Workflow ?

Right!

That's why I was looking for a detailed workflow for it 🙂

0 Kudos

Re: MTA Threat Extraction / Emulation Workflow ?

Then have a good look into Threat Prevention Administration Guide R80.10 and you will find everything there 😉