Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

meaning of Anti-virus blade Log "Action details = bypass"

Hello Checkmates,

Can you help me understand the value  "bypass" under column M "Action details" in the Anti-virus blade Log. And why the traffic was allowed although the rule was to prevent?

The Threat Prevention rule of the Anti-Virus and Anti-Bot rule for "Confidence Level = High" and "severity = High" is to prevent but the traffic was allowed with action "Detect".

TimeTypeActionResourceProtection NameDestinationConfidence LevelSeverityBladeProtection TypeMalware ActionCorrelation Unit CategoryAction Details
May 4, 2020 2:36:25 PMCorrelatedDetecthttp://googe[.]com/Phishing_website.TC.xyuns162.243.10.151HighHighAnti-VirusURL ReputationAccess to site known to contain malwareLegacy;Threat Preventionbypass
May 4, 2020 2:36:24 PMLogDetecthttp://googe[.]com/Phishing_website.TC.xyuns162.243.10.151HighHighAnti-VirusURL ReputationAccess to site known to contain malware bypass
0 Kudos
10 Replies
Highlighted
Admin
Admin

Re: meaning of Anti-virus blade Log "Action details = bypass"

Is the gateway set to Hold or Background?
I could see that happening if set to Background, where there may be a delay before the gateway receives the exact classification and the connection was short (and thus couldn't be prevented in time).

Screen Shot 2020-05-10 at 4.03.23 PM.png

Highlighted
Iron

Re: meaning of Anti-virus blade Log "Action details = bypass"

Spot on! - it is set to  Background.

What are the pros and cons of setting it to Hold. What is the average delay of a hold?

Thanks

FM

 

0 Kudos
Highlighted
Employee+
Employee+

Re: meaning of Anti-virus blade Log "Action details = bypass"

Hi,
It's explained here: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ThreatPrevention_AdminGuide/...

Let us know if you have any further questions.
Highlighted
Iron

Re: meaning of Anti-virus blade Log "Action details = bypass"

I read the general description of the three different options, but what i am looking for is an expert's insight about setting the Resource categorization mode to "Hold" -- is the latency noticeable to the end user?  

  • Hold - connections are blocked until categorization is complete - When a connection cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.

Thank you

FM

0 Kudos
Highlighted
Admin
Admin

Re: meaning of Anti-virus blade Log "Action details = bypass"

It can be, yes, depending on the circumstances.
0 Kudos
Highlighted

Re: meaning of Anti-virus blade Log "Action details = bypass"

A side question for you, perhaps you can help.

Some traffic on Anti-bot blade I am monitoring is currently allowing traffic through as Detect and not Prevent even though the gateway is set to 'Hold' and not 'Background'. The Threat Prevention policy is also set to Prevent. I found no exceptions that could interfere with this. On R80.30 btw

 

0 Kudos
Highlighted

Re: meaning of Anti-virus blade Log "Action details = bypass"

Need to see the redacted log card for this event to assist.  In the meantime, check the Activations tab for all the circled Protection classes below:

tp_activations.png

  

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: meaning of Anti-virus blade Log "Action details = bypass"

According to the log, the protection type is listed as 'DNS Reputation'.
In the menu you showed above, I do not have a protection with this name. I have only the ones you circled in red.
0 Kudos
Highlighted

Re: meaning of Anti-virus blade Log "Action details = bypass"

Pretty sure DNS Reputation is part of "Reputation Domains" or possibly "Reputation IPs".  And the Activations for these two categories are set to what for your TP profiles?

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: meaning of Anti-virus blade Log "Action details = bypass"

Both categories are set to Prevent.

I did find another source that says that DNS Reputation will always be set to Detect and this config can't be changed.

Perhaps this is the cause?

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Threat-Prevention-is-Not-Block-DNS-...

0 Kudos