cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
IPS, Anti-Virus, Anti-Bot, Anti-Spam

Your place to discuss Check Point's Intrusion Prevention System, Anti-Bot, Antivirus, and Anti-Spam solutions.

PhoneBoy
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 3 hours ago
views 1986 30 11
Admin

Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

On 8th January 2020, @Oren_Koren gave us a preview of a SmartConsole Extension that will be launched at CPX 360 2020, making it simple to move from Detect to Prevent with Check Point! The following is available to CheckMates members who are logged in: Slides (will be provided after CPX 360 2020) Video Q&A will be posted as comments. The SmartConsole Extension mentioned: https://secureupdates.checkpoint.com/appi/tailoredsafe/extension.json

Validity of DET (Data Exfiltration Toolkit - ICMP Mode)

Can someone let me know if the DET (Data Exfiltration Toolkit - ICMP Mode) is accurately identified by CP? I am seeing these in the Security Checkup environment from multiple sources that are Meraki Wi-Fi access points.

can anyone tell me how to check for apache tomcat vulnerabilities on the checkpoint

So i got a notification from one of my team members that we are seeing an increase in apache tomcat vulenrabilities and exploits, now i dont know if he found that out by looking at logs or something else or maybe from some other device or tool, so can someone tell me if its possible to know that from the checkpoint logs or some other way? Edit-So i did some digging and typed apache on the logs searchbar and a lot of logs appear that shows high/critical(apache strut url anchor tag,remote code execution attempted from some foreign ip to dest ip (dest ip would be the ips in our environment), etc) and when i open them they are all set to detect in the rules, now im pretty sure there is a reason as to why they are set to detect and not block or something else but i dont know why, i do know that there are desktops in our environment running apache so its definitely related to that, so in case i do change the rule from detect to block or something that means its going to affect traffic to those desktops right? so they should update the their apache tomcat versions in their machines to preven these logs from appearing am i right or wrong?

Failed to parse CP site response

In the last couple of weeks I have seen the following error alerting in flurries on multiple sites at the same time. All running R80.30 with HTTPS inspection and URL&App blade, AV, AB etc.Has anyone else seen this, anyone resolved it?It is filling the admin mailboxes and I’m concerned that a. Users are having problems or b. Most worryingly that potentially harmful sites are beibg accessed without protection because of ‘fail-open’.note from these two examples that the blade reporting the issue varies as does the website involved. Goo.gl creature highly in this on multiple sites but there are plenty of other examples.HeaderDateHour:  4Feb2020 10:49:56; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 36; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:goo.gl/forms/gn0vx7tcxe; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_258746 For more details; severity: 3; ProductName: Anti Malware; ProductFamily: Network;and also:HeaderDateHour:  1Feb2020  9:43:46; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 37; Action: ctl; Origin: fwl-0002; IfDir: >; InterfaceName: daemon; Alert: mail; OriginSicName: N/A; description: Error occur while accessing:cdn.videogram.com; reason: Failed to parse CP Site Response., check /opt/CPsuite-R80.30/fw1/log/rad_events/Errors/flow_8520_206678 For more details; severity: 3; ProductName: URL Filtering; ProductFamily: Network; 

IPS Updates for Optimized Profile

I have started to use the Optimized Profile for my IPS, however I have noticed protections that should be enabled according to the Check Point IPS Update email, yet its actually inactive.Please see example.Advantech WebAccess SCADA Stack-based Buffer Overflow(CVE‑2019‑3975: CVE‑2019‑3951) should be set as activated but has not been.Anyone know why this would be case and how I could fix this?  

Oracle January 2020 CVEs (CVE-2020-2546)

We have a vendor that cannot patch a system for CVE-2020-2546, does anyone know if there will be a signature available soon?While looking for this, I see there is a lot of new Oracle exploits being patched, so I assume people are hard at work to create virtual patching.Ref; https://www.tenable.com/blog/oracle-january-2020-critical-patch-update-contains-255-cves

Difference between Signature based protection (IPS, Antivirus, Anti-bot) Versus Sandboxing

Hi all,I am trying to build a business case for CheckPoint Sandboxing solution (i.e. ThreatCloud or TX appliances)The question i have is what's the extra value that Sandboxing brings?As in, when my security gateways already have IPS, Anti-virus, Anti-Spam, these protections are all based on signatures automatically released and download to my CheckPoint Security Gateways from CheckPoint.  And with these, I thought they can scan any incoming/outgoing files on email attachments, files sending to and from my sFTP server etc.Being the devil's advocate, why would i need to spend more to get Sandboxing? I know Sandboxing does provide protection for zero-day attacks (aka anything that is "unknown").  But if Checkpoint research and release a new signature and automatically push to my Security Gateways, what's the point of getting Sandboxing?Cheers,Hunt 

Detect and Prevent difference

In SmartView, when CheckPoint shows Attacks (for example 2 critical attacks), If I click it (let's say it is found by Anti-Virus blade), it shows details and writes only "Action: Detect" and  "not prevented by policy".Besides, in General Overview tab, it shows general information about detection and prevention (%).How can I clearly understand them?Does it mean that blades cannot prevent all type of attacks?What is the difference between detect and prevent? Does "detect" refers to some kind of protection?

mail alert from checkpoint

I want receive email notifications from checkpoint about critical alerts (anty virus, ips, anti-bot) , i find it in smartevent , but when i create new ' Automatic reaction' there are only "Outgoing mail server (SMTP)" Parameter, i think it is not enough  , where i can enter my email credentials (Username and password ) and POP Parameters, i think those  are necessary .

MTA define sending Interface

Hi,I configured the MTA on a CP 5800 Cluster running on R80.10. The customer want to evaluate the Sandblast Feature and therefore asked me to implement the feature. I followed the Admin Guide and everything seems to work. Design looks like this:Mail gateway (10.223.181.X) -> forwards Mails to MTA -> then forwards them to the Exchange DAG (10.223.181.X) But when we tested the connection (telnet 10.223.181.X 25) between the Firewall Cluster and his Exchange DAG - we received the following error: "421 4.3.2 Service not available"It seems that the current receive connector at the Exchange DAG did not accept connections from the Check Point MTA. But that didn’t made any sense to me since the Mail gateway, Check Point and the Exchange DAG are in the same subnet. So I thought the MTA would send out mails via the Gateway IP Address in that subnet. So we changed the receive connector policy to accept connections from any subnet. That worked and we could test send an mail from the MTA to the Exchange Server. Within the mail header information we found out that the IP Address that was used to send the mail was from a complete different subnet.My question: Is there a way to define which interface has to be used by the MTA for forwarding mails?   

r80.20 - Application Control - HTTP parsing error occurred (2)

hello I have URL filtering in checkpoint and when i try to enter in some web page it's writing this error in web browser:"Error: Error: The Web Socket transport is in an invalid state, transitioning into reconnecting". and in the smartconsol logs, there is these logs:see it in screenshots.   1) IPS detect , but accept 2) Alert and Block Traffic  

IPS Analyzer Results

I have read the other posts on the IPS Analyzer out there and realize that the protections listed as Threat Prevention protection # are coming from other blades.  Is there a way to identify what blades these are coming from in the raw files that you run IPS Analyzer on?  What is the best way to identify and remediate these? Thanks in advance!

IPS Signature CVE-2020-0601

Hi, Did you manage to trigger CVE-2020-0601 IPS protection?I tried using- Check Point R80.30- strict and optimised profile- with and without SSL Inspection- using vulnerable OS- Test page: http://testcve.kudelskisecurity.com/ Results:Without SSL inspection is unable to detect attack.With SSL inspection I have: Internal system error in HTTPS Inspection (Error Code: 2), Bypassing request as configured in engine settings of HTTPS Inspection Does somebody know what conndition have to be meet to trigger this IPS protection? Best RegardsMaciej    

Blocking IP using custom IOC feeds

Hello All,I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script. Please let me know, if there is any work-around for this issue.
Tetsu
Tetsu inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 2 weeks ago
views 237 6

The meaning of null in action field for SmartDefense

Hi.  now I need to design security rules in  SIEM for checkpoint SmartDefense(IPS)In order to do so,    i need to know why some SmartDefense log does not have type of action such as accept in it.based on action, i 'd like to catch events to create an alert in SIEM.