Showing results for 
Search instead for 
Did you mean: 
Create a Post

IPS protect CVE-2019-0708 (Bluekeep)

Hi guys! I'm trying to test CVE-2019-0708 as a Vulnerability in Remote Desktop Services ("BlueKeep")And found nothing that Check Point IPS blade will detect and protect of this Signature as it is. Anyone have experience with this before? Appreciate every comment. Regards,Sarm

IPS signature does not match with attack type

Hello everyone!I'm using R80.20 with StandAlone mode in my test environment and doing some test about IPS blade feature. IPS Scenarios Test1. Using EternalBlue (MS17-010) exploit module in Metasploit in Kali Linux (Signature does not match correctly)2. Using Microsoft Windows Remote Desktop protocol code execution (MS12-020) exploit module in Metasploit in Kali Linux (Signature is matched correctly)3. Using Nikto Security Scanner in Kali Linux (Signature is matched correctly)4. Using Internet Explorer same id property remote code execution (MS12-037) in Metasploit in Kali Linux (Signature is matched correctly) Everything went smoothly as should be expected but I found something did not match in my test case. In this case, we are talking about the 1st scenario Using Eternal Blue (MS17-010) exploit module.In my test case, I have two computer machines that they are in the different network subnet the one is Windows7 which act as Victim and another one is Kali Linux act as Attacker Where the Victim machine is in-network and Attacker is in-network will explain to you all guys regarding my test IPS functionality.The 1st screenshot is to search about the vulnerability that I wanted to testThe 2nd screenshot is to scan and lookup the vulnerability of the targeted host, and we found it!The 3rd screenshot is to try to exploit the targeted host with below commands to prove if the command is able to use properly. It works!The 4th screenshot, I tried to filter logs and found the traffic matched with what I was testing in the next step The 5th screenshot, Now I turned on IPS software blade to prevent this exploit the vulnerability with optimized profile At this point, after policy installation completed I should see the IPS blade prevent this exploit as behavior as expected and match one or more signatures that I filtered as above screenshots.But this did not look like what I wanted, the IPS was able to block this exploitation but with a different signature The signature was displayed in the logs view is Microsoft Windows NT Null CIFS Sessions as a screenshot below So I tried to change this protection from drop to inactive to verify if this changed behavior something. Now, executed exploit command test again and found that it was prevented by IPS with the correct signature. All of I mentioned I do not quite understand why it is preventing by Microsoft Windows NT Null CIFS Sessions signature which is not being the correct signature of exploit vulnerability. Anyone knows regarding this behavior. Appreciate every comment
Junior inside IPS, Anti-Virus, and Anti-Bot yesterday
views 174 4

Botnet Activity Detection

Hello dear, The checkpoint firewall detected botnet activity on one of our DNS servers, and another on a computer network. To my knowledge the firewall is supposed to block such activity? How to get rid of this infection, I launched the ESET ENDPOINT Security antivirus but nothing found.

Discussion SMB scan problem

Dear allI want to discussion a smb scan problem with you.I found a lot of scanning attacks by checkpoint fw,but all scanning just be identified firewall session,and not be identified by TP module,this is why?I found that all vender firewall can not identify this kind of smb scan.thanks!
Vladimir inside IPS, Anti-Virus, and Anti-Bot Friday
views 1858 14

Cannot create exception for "Phishing_website.mzle" protection

I am on a verge of loosing my cool after spending half a day on a seemingly trivial task of trying to create an exception for the Threat Prevention policy. The goal is to allow my client's PCs to receive the Phishing training communication from the KnowBe4. The vendor has three IPs but each campaign generates new resources. Every time client tries to go to the spoofed site, i.e. "", the gateway promptly bags it with: Time: 2019-04-30T19:18:48ZInterface Direction: inboundInterface Name: eth3Id: c0a8071f-0100-00c0-5cc8-9f9800000001Sequencenum: 1Threat Prevention Policy: Clean_SlateThreat Prevention Policy Date:2019-04-30T19:17:59ZSource: Port: 50859Destination Country: IsraelDestination: Port: 80IP Protocol: 6Session Identification Number:0x5cc89f98,0x1,0x1f07a8c0,0xc0000001Protection Name: Phishing_website.mzleDescription: Connection to DNS trap bogus IP. See sk74060 for more information.Confidence Level: HighSeverity: HighMalware Action: Malicious network activityProtection Type: DNS TrapThreat Prevention Rule Id: FE9921CA-B861-425E-B0F2-19A1D217EFADProtection ID: 0018B6567Log ID: 2Scope: User Name: ADuser2 Two ( Machine Name: win10net30@higherintelligence.comUser: ADuser2 Two ( PreventType: LogPolicy Name: Clean_SlatePolicy Management: SMS8030EADb Tag: {BAC69145-F44A-4148-9603-7CEBB47B7A42}Policy Date: 2019-04-30T14:32:16ZBlade: Anti-VirusOrigin: GW8030EAService: TCP/80Product Family: ThreatResource: @A@@B@1556596801@C@31302Log Server Origin: Log Server Ip: Time: 2019-04-30T19:19:54ZLastupdatetime: 1556651989000Lastupdateseqnum: 1Rounded Sent Bytes: 0Rounded Bytes: 0Stored: trueRounded Received Bytes: 0Suppressed Logs: 21Sent Bytes: 0Received Bytes: 0Interface: eth3Description: performed malicious network activity that was prevented with DNS TrapThreat Profile: Go to profileBytes (sent\received): 0 B \ 0 B Trying to exempt the traffic by negating the destination group in the TP rules, creating manual exemptions with either "Detect" or "Inactive", doing same by creating the exemptions from the logs, does not change the behavior. DNS trap is activated every time. Searching for the Protection Name: "Phishing_website.mzle" in either "Protections" or IPS Protections, does not help. The thing is not there. Even creating a Categorization Exception: As unfeasible as it is for this particular task, still does not work. HELP!!!

Support Renewal Warning on Gateways

Hello,I have 6 Products in my environment 4 Gateways and 2 Mgmt Servers. It is a DC/DR Setup with 2 Gateways and 1 Mgmt in each Data Center. Suddenly i am getting a license expiration warning on Antivirus and Antibot Blades in 2 of the 4 Gateways only. When i checked the SmartAccount along with the built in blades there are additional blades with 2 year support for Antivirus and Antibot Blades available. My Question is why i am getting this warning in only 2 of the 4 gateways , also as i can see additional blades available in the account will they be incorporated automatically once the built in one expires ? What are the after effects if the license/support expiration ? will it affect production environment ? Thanks
parfuar inside IPS, Anti-Virus, and Anti-Bot a week ago
views 877 5 1

IPS conditions to generate alert

Hi,I have a doubt. Is there any way we can validate the conditions of an IPS protections? I have found some false positives in IPS signatures, and I would like to see the reason (conditions) for generating alert.Thanks
Steven_Lucas inside IPS, Anti-Virus, and Anti-Bot a week ago
views 511 2 1

DNS Reputation Exception

I am trying to white-list a single domain for DNS Reputation prevents. Currently, it seems like the only option is to make exceptions for all of our DNS servers, effectively turning off DNS Reputation checks for DNS lookups in our company. The domain is a employee awareness training like for phishing that is publically available, so it technically is a phishing site and should not necessary be re-categorized, but we'd like to whitelist it for our company during our phishing tests.Has anyone ever had to do this before?
inside IPS, Anti-Virus, and Anti-Bot a week ago
views 1129 1 10

R80.30 Packet Processing - Achieving Infinity

This video explains the packet processing architecture enforcing the Infinity Gen V prevention functionalities NGTX. You will understand how SecureXL, CoreXL and Multi-Queue handle packet streams and how the NGTX engine applies security. The packet processing explained here is valid as well for R80.10 and R80.20. In the video you will find references to recommended SecureKnowledge articles used as a source for this video. LITHIUM.OoyalaPlayer.addVideo('https:\/\/\/static\/v4\/production\/', 'lia-vid-NjNHl4aDE60ZV9xCBQeS8Ti33p_AWg_Cw1600h900r837', 'NjNHl4aDE60ZV9xCBQeS8Ti33p_AWg_C', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)
SantiagoPlatero inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 3645 14 4

SMTP encrypted session bypassed, yet attachments are emulated

Hi community long time no see (dunno why these days can't login to CheckMates), I'm seeing some strange things in the Firewall and Threat Emulation logs, but first some context:- R80.20 GA Management- R80.10 Security Gateway, with Threat Emulation blade enabled (emulation occurs in the Check Point Cloud), MTA enabled and imported the SSL certificate of our local antispam to inspect TLS SMTP connectionsThe incoming email flow for our organization is like this:- The MX entries for our mail domain has as its highest priority some servers provided by TrendMicro (the service it's called TrendMicro Cloud Pre-Filter), which basically work as a cloud antispam and receive the mails on a TLS session- Then the cloud MTA forwards the email to our local antispam (also a TrendMicro VM appliance deployed on our DMZ) on a TLS session, which also analyze the incoming mail and then forward it to the Security Gateway (also on a TLS session, and if I'm not wrong it uses the SSL certificate I imported to the Security Gateway)- The Security Gateway do its thing and forward the mail to the MS Exchange, and the mail arrives then to the clientThe strange thing is I have a lot (A LOT) of SMTP traffic bypassed logs (encrypted session) in the Security Gateway, but also I have logs of the attachment of these TLS connection are been emulated, so it appears the Security Gateway can't decrypt the TLS connection, but in the same time it's capable to strip the attachment to upload for emulation?!The header of some test mail I sent shows the connection between our antispam and the Security Gateway is in fact TLS and then I have a bypass log for the same email session:X-MTA-CheckPoint: {5BBF4235-0-A00A8C0-129C07B6}Received: from myantispam (unknown []) by Security Gateway (Postfix) with ESMTPS id ACFF41B0FA6 for <>; Thu, 11 Oct 2018 09:29:41 -0300 (ART)The SMTP bypass log:Time: 2018-10-11T12:29:42ZInterface Direction: outboundInterface Name: eth2Email Control: SMTP Policy RestrictionsEmail Session ID: 5BBF4235-7-A00A8C0-C0000001Information: Encrypted sessionSource: Port: 43182Destination: Port: 25IP Protocol: 6Action: BypassType: LogBlade: FirewallService: TCP/25Product Family: AccessInterface: eth2Description: smtp Traffic Bypassed from ( to TE log:Time: 2018-10-11T12:29:46ZSource: Protocol: 6Destination Port: 25Threat Prevention Rule Id:DA846A34-636B-4B7A-A75C-0F72DC130D1EScope: Name: test.pdfFile Type: pdfFile Size: 215615File MD5: 265c632b5d24d09f1e20d763ab8f3ee4File SHA1: a6e5d9577005cbb3e2ad013ee71d4baf85a2d299File Sha256: 361d4f8bc67527b1e9d2231cc340a53a09d7935f4c9af99923f62227bd29dddaVerdict: BenignAnalyzed On: Check Point Threat CloudDetermined By: Win7,Office 2013,Adobe 11: static analysis. WinXP,Office 2003/7,Adobe 9: static analysis. Protection Type: SMTP EmulationNote: some log fields where deleted o modified to keep confidentiality of the organization.So, the main question is: I should ignore the SMTP bypassed logs or I'm missing something? My fear is I could be missing some potentially malicious attachment on incoming SMTP TLS traffic flows.Thanks mates.
MattDunn inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 958 6

IPS confusion

Hello,Is somebody able to clear up some confusion over how IPS works please?Customer has IPS enabled, using the "Recommended_Profile".The policy is set to prevent most stuff. When I look at the list of protections, under the "Recommended_Protection" column, the vast majority of protections are set to Prevent, either natively or from manual override. There are a small bunch set to detect, and a small bunch as Inactive.When I go to Logs & Monitor > General Overview, I see this: Notice that the pie chart shows 94% as Detect, and only 6% at Prevent.Notice also that the "Critical Attacks Allowed by Policy" box shows (I think?) that a number of critical severity attacks have been allowed to happen.Now let's take one of them as an example... "SQL Servers UNION Query-based SQL Injection" has apparently been allowed to happen. But if I check the actual protection, it is set to Prevent. This is correct according to the policy as it matches all of the performance, severity and confidence criteria to be automatically set to Prevent. So what's going on?Why does the General Overview page seem to be so wildly different and wrong compared to what is configured in the policy? Why for example does it report that SQL UNION attack as being allowed according to the policy, when the actual policy states it is set to Prevent? And why is the pie chart showing do much Detect when in reality very few protections are set in Detect mode?I presume there's an easy explanation that I'm not aware of?Thanks,Matt
Departament_Sis inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 185 2 1

Policy Violation on MTA with Thread Emulation/Extraction

Hi mates!This is my very first post so i'll try to do my best.We are facing a strange issue where immedately after enabling the Thread Emulation and Thread Prevention blades (along with the MTA) on the checkpoint cluster, all mail traffic flow stops.Our mail flow setup consists of 2 Exchange 2010 Edge Transport servers in our DMZ, and 2 Exchange hub Transport servers in the internal security zone, all of them connected with a Edge Subscription. All security zones are connected via our 15400 two-node ClusterXL, on R80.10.The behavior is really strange because when we enable the blades and the MTA, all mail queues stop delivering and the Exchange queue viewer show a "POLICY VIOLATION" error.Please don't hesitate to ask for further information. Lot of thanks
MKnox inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 320 5

"Release Date" and "Update Date" column of the IPS Signature Export formatting incorrectly

Hello, this is my first post, so apologies if posted in an incorrect category. Is there a way to configure the date format in SmartConsole prior to exporting to csv?When I export the IPS signatures from the R80.10 dashboard, the csv output appears to be generated with two formats in the Release/Update Date columns (columns C & D). I don't recall having this issue in R77. The dashboard view within SmartConsole shows the date format to be DD/MM/YYYY, yet only a subset of the exported signatures follow this format. The other signatures appear to be formatting as MM/DD/YYYY. Along with the mismatch date formats, the values are inputted differently as well, either as MM/DD/YYYY or DD-MM-YY. This makes filtering the output challenging as I show some release dates coming up as December 2, 2019 when it should be February 12, 2019. Formatting the columns after the export doesn't appear to effect the way excel interprets the values (there may be a setting in Excel to address, If so, please let me know. My excel limitations are just not familiar one). Thank you in advance, Marcus
Don_Paterson inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 356 2 2


Anyone know anything about Check Point maybe working with JA3 yet, or plans around this?References:A new method of TLS fingerprinting was recently put together called JA3. Rather than simply looking at the certificate used, JA3 parses multiple fields set in the TLS client hello packet sent over during the SSL handshake. The resulting fingerprint can then be used to identify, log, alert and/or block specific traffic.JA3 looks at the client hello packet in the SSL handshake to in order to gather the SSL version and list of supported ciphers. If supported by the client, it will also use all supported SSL extensions, all supported Elliptic Curves, and finally the Elliptic Curve Point Format. GitHub - salesforce/ja3: JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.
MattDunn inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 279 1

Original Files - restoring to new gateway

Hi,I have an R77.30 gateway running TEX, with the gateway configured as an MTA. When a mail is cleaned the original mail is stored on the gateway.I need to install bigger HDD's in the gateway, so it'll need a fresh install. I want to take that opportunity to upgrade to R80.x at the same time.Is it simply a case of copying the files off the current R77.30 disk, then copying back to the newly rebuilt R80.x disk, or is there some kind of index that needs to be rebuilt on the new server for users to be able to click their link to access the original file again?Thanks,Matt