Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Peter_Baumann
Contributor

MTA Threat Extraction / Emulation Workflow ?

Hi all,

I was looking for documentation about the workflow about the Threat Extraction and Emulation when used with MTA and couldn't find it.

So when an E-Mail arrives, what will be done first and what exactly will then be processed etc.

A visible workflow would help to understand how the System processes incoming E-Mails.

So what happens if we already have a file in the Cache, what happened with the Reputation of an Attachement and how is the verdict decision done?

It would be helpful if someone has any links or documents to answer this...

Thanks,

Peter

11 Replies
G_W_Albrecht
Legend
Legend

I would suggest the following documents:

Mail Transfer Agent (MTA) - FAQ

sk109699 ATRG: Mail Transfer Agent (MTA)

sk120260 MTA Debugging and Performance Troubleshooting Toolkit

But of course, there is much more  !

CCSE CCTE CCSM SMB Specialist
0 Kudos
Peter_Baumann
Contributor

Hi Günther,

Thanks for your reply and links, very interesting but only focused on the MTA Flow.

What I need is an overview what exactly is Happening when the E-Mail is arriving at the Threat Emulation / Extraction.

So as example: Incoming E-Mail - links in Body? - yes: do Threat Emulation - Malicious links included? - yes: Threat Emulation of the links or for Threat Extraction: Incoming E-Mail - is filetype active? - yes: Threat Extraction according Settings - verdict decision? etc...

A complete overview what exactly is Happening would answer the customers question how an E-Mail is exactly proceeded...

0 Kudos
G_W_Albrecht
Legend
Legend

Then you must consult sk114806 ATRG: Threat Emulation - as you did study the Threat Prevention Administration Guide R80.10 already...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Peter_Baumann
Contributor

Thanks Günther,

Interesting document, (7) Emulation Workflow does give the needed Information about the workflow.

I'm still searching now the doc for Threat Extraction...

0 Kudos
G_W_Albrecht
Legend
Legend

Thre is only sk101553 Check Point Document Threat Extraction Technology afaik.

CCSE CCTE CCSM SMB Specialist
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi Peter,

I recently wrote a document that gives an overview of content inspection. It's not exactly what you're looking for. But maybe this will help you to understand how content inspection works. But I still have to finish the MTA part.

R80.x Security Gateway Architecture (Content Inspection)

This document describes the content inspection in a Check Point R80.10 and above gateways. Context Management Infrastructure (CMI) is the "brain" of the content inspection and use more different modules (CMI Loader, PSL vs. PXL, Protocol Parsers, Pattern Matcher, Protections and new in R80.10 NGTP Architecture) for content inspection.

R80.x Security Gateway Architecture (Logical Packet Flow)

This document describes the packet flow (partly also connection flows) in a Check Point R80.10 and above with SecureXL and CoreXL, Content Inspection, Stateful inspection, network and port address translation (NAT), MultiCore Virtual Private Network (VPN) functions and forwarding are applied per-packet on the inbound and outbound interfaces of the device. There should be an overview of the basic technologies of a Check Point Firewall. We have also reworked the document several times with Check Point, so that it is now finally available.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
Peter_Baumann
Contributor

Hi all,

Hi Heiko Ankenbrand‌,

Thank you very much fpr your feedbacks, I appreciate it!

Heiko's documents are great, with all the peacec of information I think I can construct an answer for this question.

It would be great if check point would create such a documentation about this...

Thanks,

Peter

0 Kudos
Peter_Baumann
Contributor

Hello again,

According to the customer sometimes an incoming mail is NOT sent to Emulation AND Extraction.

I did some tests today and it seems really a strange behavior.

For the test I sent 3 E-Mails, 1 with only *.zip (text files), 2 with only *.pdf, 3 with both *.zip (text files) and *.pdf.

E-mail 1: Only Emulation is done according log.

E-Mail 2: Only Extraction is done according log.

E-Mail 3: Extraction and Emulation is done.

According to all the documents a receiving E-Mail should be sent to both Extraction AND Emulation.

So why do I not see this in the logs???

0 Kudos
G_W_Albrecht
Legend
Legend

That all depends on the configuration - according to document type, the flow can be different, so you can say nothing without knowing the detailed configuration of TE / TX !

CCSE CCTE CCSM SMB Specialist
0 Kudos
Peter_Baumann
Contributor

Right!

That's why I was looking for a detailed workflow for it 🙂

0 Kudos
G_W_Albrecht
Legend
Legend

Then have a good look into Threat Prevention Administration Guide R80.10 and you will find everything there 😉

CCSE CCTE CCSM SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events