cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
IPS, Anti-Virus, Anti-Bot, Anti-Spam

Your place to discuss Check Point's Intrusion Prevention System, Anti-Bot, Antivirus, and Anti-Spam solutions.

R80.10 Mismatched Replies Core IPS Protection

Hi,I'm trying to get DNS queries to populate in our logs. Is this possible in R80.10? There's an old R77 article which states it can be achieved by enabling the IPS protection "Mismatched Replies" (or other related DNS protections)https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116694I've noticed in R80.10 the protection is set to "Inactive". Within the Smart Dashboard it states:Supported Products:Security Gateway: NGX R65, R70, R71, R75, R75.20 Connectra: R62CM, R66Does anyone know if activating this protection will produce the same results as outlined in the above article? If not, is there another way to achieve this?Thanks,Jon 

Generic.TC.gjgwrm verbose discription

My antivirus detect malicious DNS request on resourse qaeqxa.pw. Signature is Generic.TC.gjgwrmPlease help my find verbose discription by the signature.

How to test if anti-bot feature of sandblast agent is working?

Hi everyone!I'm plan to do testing Anti-Bot software blade of sandblast agent from low to high confidence. Our endpoint security client is E82.20 windows client.I know there is Urls for gateway and some url for sandblast agent.Please kindly share me the urls if anyone know.Thanks

DNS Trap prevent after Activation Anti-Bot

Hi together, since I activated on CP SGW's (R80.10/R80.20 and R80.30) members Anti-Bot I have trouble with DNS requests.Time to time User cann't get access to Internet, because Anti-Bot Prevent fromSRC: Internal User DST: Internal DNS Server (10.1.1.67)with protection Details: Mgmt Server R80.30. This issue occurs only to DNS IP: 10.1.1.67. By activation Anti-Bot (on Cluster Member ) we add following IP (10.1.1.67) - yellow marked:What's the reason about it  - 1.) DNS Trap with prevent to internal DNS (needed !)  ?2.) In Detail Log u can see under Forensics Details:   d2cb5ad7002c4066.huaweisafedns.com    ?

CVE-2020-0601

Any ideas when CP is going to release a protection for CVE-2020-0601? It seems that it should be doing this already, but would like to verify!

Blocking IP using custom IOC feeds

Hello All,I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script. Please let me know, if there is any work-around for this issue.

Antibot Blade Action Redirect

Hello,I noticed a log in our environment where the Antibot Blade detected a Malware but action is shown as Redirect.What does action Redirect signifies ?   Thanks
PhoneBoy
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam yesterday
views 1034 19 9
Admin

Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

On 8th January 2020, @Oren_Koren gave us a preview of a SmartConsole Extension that will be launched at CPX 360 2020, making it simple to move from Detect to Prevent with Check Point! The following is available to CheckMates members who are logged in: Slides (will be provided after CPX 360 2020) Video Q&A will be posted as comments.

Crimea IP ranges in Threat Prevention Geo Policy

Hi,I need to apply specific security rules for traffic coming from Crimea but this state is not defined in Checkpoint  Threat Prevention Geo Policy. So far, i've been downloading manual updates from Maxminds and statically update the Checkpoint policy. This manual method is not reliable enough as you can understand. What do you think would be the best way to maintain policies with Crimea IP ranges on Checkpoint? I doubt that i'm the only one facing this challenge.Thanks in advanced.  

Threat Emulation Exceptions

I have noticed we are emulating far too many files for our 250,000 file limit.  Not long ago I decided we did not need to emulate Windows.update files AND secureupdate.checkpoint.com files.  I created exceptions for our Endpoint client but sadly they are still being emulated.  Has anyone else tried to reduce their emulation load and noticed this behavior?Many thanks for your support,Dan Roddy

Anti-Virus log prompt: "background classification mode was set"

Dear FW:23500     Version:R80.10       Hotfix:R80_10_JUMBO_HF_Bundle_T56_sk11638I have set hold mode,refer to screenshots below:TP configuration as follow:But the log shows as follow:Description:                  Connection was allowed because background classification mode was set. See sk74120 for more information."loop.sawmilliner.com" is a C2 and malware site,as follow:I have set classification mode to hold,why still show "background classification mode was set"Thanks!

Inspection settings block while being inactive, bug?

Helloes. We had an inspection setting, TCP invalid retransmission, that we had to make an execption for, even though it is set to inactive. How can it block traffic if it's inactive in the profile, is this just a bug?On R80.30.

Suspicious Activity Monitoring (SAM) Rules

The challenge was to block a lot of pub IPs. Allocated via Mgmt-Server.Example to allocate on all SGW's I do following on Mgmt Server (CP R80.30)fw sam -I subdst 2.237.76.249 255.255.255.255Everything is fine and this IP is blocked on all our SGW's R80.10 til R80.30.Problem is to check which IPs are in kernel table in this "blocking modus".-----So I did on the SGW:----[Expert@SGW:0]# fw tab -t sam_blocked_ipslocalhost:-------- sam_blocked_ips --------dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>   ->Example: a7=167  .56=186  .7b= 123 .b0=176 von HeX nach dEz !!!  IPv4=  167.186.123.176   !!!!Actually 1175 entries are on this SGW active.How can I see all this entries ? ? Is there a table to copy and to relocate to IPv4 (all this 1175 IPs ) ??---My output is following:[Expert@SGW:0]# fw tab -t sam_blocked_ipslocalhost:-------- sam_blocked_ips --------dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>  <46a935ea; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>      <9a78e3ce; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><68efafd3; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><2d5094a8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><830067c8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><ba926e6c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><be8ec86c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><18b57d3e; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><d44996e9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><02ed4cf9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><ba54ad99; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><92b9fdaf; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><59bc7c91; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><566240bd; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><4845632f; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>...(16434 More)

Blocking TOR Exit nodes with scripting

Hello guys!I'm planning to block all of TOR exit nodes using Checkpoint scripts created for that purpose, see link below.How to block traffic coming from known malicious IP addresses My question is this..Will these exit nodes be append to the SAM Rule, or when it updates the SAM Rule will it clean all my SAM Rules already created and in place?Thank you very much for your support.Best regards.Luis Borralho

CVE-2019-19781

Hello, Will my Checkpoint firewall have a signatures for: CVE-2019-19781 ?I would like to alert on exploitation attempts again my Citrix access gateways and wonder if Checkpoint will automatically detect the directory traversal style attack.