Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

meaning of Anti-virus blade Log "Action details = bypass"

Hello Checkmates,

Can you help me understand the value  "bypass" under column M "Action details" in the Anti-virus blade Log. And why the traffic was allowed although the rule was to prevent?

The Threat Prevention rule of the Anti-Virus and Anti-Bot rule for "Confidence Level = High" and "severity = High" is to prevent but the traffic was allowed with action "Detect".

TimeTypeActionResourceProtection NameDestinationConfidence LevelSeverityBladeProtection TypeMalware ActionCorrelation Unit CategoryAction Details
May 4, 2020 2:36:25 PMCorrelatedDetecthttp://googe[.]com/Phishing_website.TC.xyuns162.243.10.151HighHighAnti-VirusURL ReputationAccess to site known to contain malwareLegacy;Threat Preventionbypass
May 4, 2020 2:36:24 PMLogDetecthttp://googe[.]com/Phishing_website.TC.xyuns162.243.10.151HighHighAnti-VirusURL ReputationAccess to site known to contain malware bypass
0 Kudos
14 Replies
Highlighted
Admin
Admin

Is the gateway set to Hold or Background?
I could see that happening if set to Background, where there may be a delay before the gateway receives the exact classification and the connection was short (and thus couldn't be prevented in time).

Screen Shot 2020-05-10 at 4.03.23 PM.png

Highlighted
Iron

Spot on! - it is set to  Background.

What are the pros and cons of setting it to Hold. What is the average delay of a hold?

Thanks

FM

 

0 Kudos
Highlighted
Employee+
Employee+

Hi,
It's explained here: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ThreatPrevention_AdminGuide/...

Let us know if you have any further questions.
Highlighted
Iron

I read the general description of the three different options, but what i am looking for is an expert's insight about setting the Resource categorization mode to "Hold" -- is the latency noticeable to the end user?  

  • Hold - connections are blocked until categorization is complete - When a connection cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.

Thank you

FM

0 Kudos
Highlighted
Admin
Admin

It can be, yes, depending on the circumstances.
0 Kudos
Highlighted
Iron

We finally changed the setting to HOLD on 2020-07-23 but it allowed 3 in Detect in stead of Prevent. See attached screen capture showing the resource Categorization setting as "Hold"; and a table showing the allowed traffic in Background mode. The traffic fulfill the conditions for the traffic to "Prevented"--Confidence level = "High" and Severity "High" or "Critical". Can you tell me why the vendor list value for one of the events is blank?

TimeMalware ActionVendor ListDescription
Jul 29, 2020 2:04:34 PMMalicious file/exploit download  
Jul 29, 2020 2:04:31 PMMalicious file/exploit downloadCheck Point ThreatCloudConnection was allowed because background classification mode was set. See sk74120 for more information.
Jul 29, 2020 12:43:28 PMMalicious file/exploit downloadCheck Point ThreatCloudConnection was allowed because background classification mode was set. See sk74120 for more information.
0 Kudos
Highlighted
Admin
Admin

Did you push policy after making that change?
If so, you may want to involve the TAC. 

Highlighted
Iron

I am waiting for the Network admin to confirm if he did "Push Policy".

If it has the same effect? we did  "Push Policy" after our weekly IDS protection rule update on Wed 7/29/2020 6:10 PM-- the time of the push policy was after the 3 events that were allowed at Jul 29, 2020 2:04:34 PM and could not have applied.

0 Kudos
Highlighted
Admin
Admin

Pretty sure changing the profile requires an explicit policy push versus the automatic update of IPS signatures, which doesn't require an explicit policy push to take effect. 

Highlighted

A side question for you, perhaps you can help.

Some traffic on Anti-bot blade I am monitoring is currently allowing traffic through as Detect and not Prevent even though the gateway is set to 'Hold' and not 'Background'. The Threat Prevention policy is also set to Prevent. I found no exceptions that could interfere with this. On R80.30 btw

 

0 Kudos
Highlighted

Need to see the redacted log card for this event to assist.  In the meantime, check the Activations tab for all the circled Protection classes below:

tp_activations.png

  

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

According to the log, the protection type is listed as 'DNS Reputation'.
In the menu you showed above, I do not have a protection with this name. I have only the ones you circled in red.
0 Kudos
Highlighted

Pretty sure DNS Reputation is part of "Reputation Domains" or possibly "Reputation IPs".  And the Activations for these two categories are set to what for your TP profiles?

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos

Both categories are set to Prevent.

I did find another source that says that DNS Reputation will always be set to Detect and this config can't be changed.

Perhaps this is the cause?

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Threat-Prevention-is-Not-Block-DNS-...

0 Kudos