cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
MattDunn
MattDunn inside IPS, Anti-Virus, and Anti-Bot yesterday
views 1022 9 1

IPS confusion

Hello,Is somebody able to clear up some confusion over how IPS works please?Customer has IPS enabled, using the "Recommended_Profile".The policy is set to prevent most stuff. When I look at the list of protections, under the "Recommended_Protection" column, the vast majority of protections are set to Prevent, either natively or from manual override. There are a small bunch set to detect, and a small bunch as Inactive.When I go to Logs & Monitor > General Overview, I see this: Notice that the pie chart shows 94% as Detect, and only 6% at Prevent.Notice also that the "Critical Attacks Allowed by Policy" box shows (I think?) that a number of critical severity attacks have been allowed to happen.Now let's take one of them as an example... "SQL Servers UNION Query-based SQL Injection" has apparently been allowed to happen. But if I check the actual protection, it is set to Prevent. This is correct according to the policy as it matches all of the performance, severity and confidence criteria to be automatically set to Prevent. So what's going on?Why does the General Overview page seem to be so wildly different and wrong compared to what is configured in the policy? Why for example does it report that SQL UNION attack as being allowed according to the policy, when the actual policy states it is set to Prevent? And why is the pie chart showing do much Detect when in reality very few protections are set in Detect mode?I presume there's an easy explanation that I'm not aware of?Thanks,Matt

Meltdown and Spectre bugs

Hi Guys,Do you know if Checkpoints are affected by Meltdown and Spectre and if so, what is the timeframe for a patch being released?Regards,Octavian
PhoneBoy
inside IPS, Anti-Virus, and Anti-Bot Monday
views 564 1 4
Admin

How do I test if Anti-Bot and/or Anti-Virus is Working?

We offer a couple of test links you can access from behind your Security Gateway where Anti-Bot and Anti-Virus is working: Anti-Virus Test -- Downloads the standard EICAR AV test file Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs. Related: Threat Emulation Test -- A link to a DOC with an exploit that will not harm your computer. Will show as Exploited Document in logs.

IPS protect CVE-2019-0708 (Bluekeep)

Hi guys! I'm trying to test CVE-2019-0708 as a Vulnerability in Remote Desktop Services ("BlueKeep")And found nothing that Check Point IPS blade will detect and protect of this Signature as it is. Anyone have experience with this before? Appreciate every comment. Regards,Sarm

IPS signature does not match with attack type

Hello everyone!I'm using R80.20 with StandAlone mode in my test environment and doing some test about IPS blade feature. IPS Scenarios Test1. Using EternalBlue (MS17-010) exploit module in Metasploit in Kali Linux (Signature does not match correctly)2. Using Microsoft Windows Remote Desktop protocol code execution (MS12-020) exploit module in Metasploit in Kali Linux (Signature is matched correctly)3. Using Nikto Security Scanner in Kali Linux (Signature is matched correctly)4. Using Internet Explorer same id property remote code execution (MS12-037) in Metasploit in Kali Linux (Signature is matched correctly) Everything went smoothly as should be expected but I found something did not match in my test case. In this case, we are talking about the 1st scenario Using Eternal Blue (MS17-010) exploit module.In my test case, I have two computer machines that they are in the different network subnet the one is Windows7 which act as Victim and another one is Kali Linux act as Attacker Where the Victim machine is in-network 192.168.210.0/24 and Attacker is in-network 172.168.210.0/24I will explain to you all guys regarding my test IPS functionality.The 1st screenshot is to search about the vulnerability that I wanted to testThe 2nd screenshot is to scan and lookup the vulnerability of the targeted host, and we found it!The 3rd screenshot is to try to exploit the targeted host with below commands to prove if the command is able to use properly. It works!The 4th screenshot, I tried to filter logs and found the traffic matched with what I was testing in the next step The 5th screenshot, Now I turned on IPS software blade to prevent this exploit the vulnerability with optimized profile At this point, after policy installation completed I should see the IPS blade prevent this exploit as behavior as expected and match one or more signatures that I filtered as above screenshots.But this did not look like what I wanted, the IPS was able to block this exploitation but with a different signature The signature was displayed in the logs view is Microsoft Windows NT Null CIFS Sessions as a screenshot below So I tried to change this protection from drop to inactive to verify if this changed behavior something. Now, executed exploit command test again and found that it was prevented by IPS with the correct signature. All of I mentioned I do not quite understand why it is preventing by Microsoft Windows NT Null CIFS Sessions signature which is not being the correct signature of exploit vulnerability. Anyone knows regarding this behavior. Appreciate every comment

Botnet Activity Detection

Hello dear, The checkpoint firewall detected botnet activity on one of our DNS servers, and another on a computer network. To my knowledge the firewall is supposed to block such activity? How to get rid of this infection, I launched the ESET ENDPOINT Security antivirus but nothing found.

Discussion SMB scan problem

Dear allI want to discussion a smb scan problem with you.I found a lot of scanning attacks by checkpoint fw,but all scanning just be identified firewall session,and not be identified by TP module,this is why?I found that all vender firewall can not identify this kind of smb scan.thanks!
Vladimir
Vladimir inside IPS, Anti-Virus, and Anti-Bot Friday
views 1865 14

Cannot create exception for "Phishing_website.mzle" protection

I am on a verge of loosing my cool after spending half a day on a seemingly trivial task of trying to create an exception for the Threat Prevention policy. The goal is to allow my client's PCs to receive the Phishing training communication from the KnowBe4. The vendor has three IPs but each campaign generates new resources. Every time client tries to go to the spoofed site, i.e. "gmail.net-login.com", the gateway promptly bags it with: Time: 2019-04-30T19:18:48ZInterface Direction: inboundInterface Name: eth3Id: c0a8071f-0100-00c0-5cc8-9f9800000001Sequencenum: 1Threat Prevention Policy: Clean_SlateThreat Prevention Policy Date:2019-04-30T19:17:59ZSource: 10.101.30.101Source Port: 50859Destination Country: IsraelDestination: 62.0.58.94Destination Port: 80IP Protocol: 6Session Identification Number:0x5cc89f98,0x1,0x1f07a8c0,0xc0000001Protection Name: Phishing_website.mzleDescription: Connection to DNS trap bogus IP. See sk74060 for more information.Confidence Level: HighSeverity: HighMalware Action: Malicious network activityProtection Type: DNS TrapThreat Prevention Rule Id: FE9921CA-B861-425E-B0F2-19A1D217EFADProtection ID: 0018B6567Log ID: 2Scope: 10.101.30.101Source User Name: ADuser2 Two (aduser2@higherintelligence.com)Source Machine Name: win10net30@higherintelligence.comUser: ADuser2 Two (aduser2@higherintelligence.com)Action: PreventType: LogPolicy Name: Clean_SlatePolicy Management: SMS8030EADb Tag: {BAC69145-F44A-4148-9603-7CEBB47B7A42}Policy Date: 2019-04-30T14:32:16ZBlade: Anti-VirusOrigin: GW8030EAService: TCP/80Product Family: ThreatResource: gmail.net-login.comMarker: @A@@B@1556596801@C@31302Log Server Origin: 192.168.7.30Orig Log Server Ip: 192.168.7.30Index Time: 2019-04-30T19:19:54ZLastupdatetime: 1556651989000Lastupdateseqnum: 1Rounded Sent Bytes: 0Rounded Bytes: 0Stored: trueRounded Received Bytes: 0Suppressed Logs: 21Sent Bytes: 0Received Bytes: 0Interface: eth3Description: 10.101.30.101 performed malicious network activity that was prevented with DNS TrapThreat Profile: Go to profileBytes (sent\received): 0 B \ 0 B Trying to exempt the traffic by negating the destination group in the TP rules, creating manual exemptions with either "Detect" or "Inactive", doing same by creating the exemptions from the logs, does not change the behavior. DNS trap is activated every time. Searching for the Protection Name: "Phishing_website.mzle" in either "Protections" or IPS Protections, does not help. The thing is not there. Even creating a Categorization Exception: As unfeasible as it is for this particular task, still does not work. HELP!!!

Support Renewal Warning on Gateways

Hello,I have 6 Products in my environment 4 Gateways and 2 Mgmt Servers. It is a DC/DR Setup with 2 Gateways and 1 Mgmt in each Data Center. Suddenly i am getting a license expiration warning on Antivirus and Antibot Blades in 2 of the 4 Gateways only. When i checked the SmartAccount along with the built in blades there are additional blades with 2 year support for Antivirus and Antibot Blades available. My Question is why i am getting this warning in only 2 of the 4 gateways , also as i can see additional blades available in the account will they be incorporated automatically once the built in one expires ? What are the after effects if the license/support expiration ? will it affect production environment ? Thanks
parfuar
parfuar inside IPS, Anti-Virus, and Anti-Bot a week ago
views 881 5 1

IPS conditions to generate alert

Hi,I have a doubt. Is there any way we can validate the conditions of an IPS protections? I have found some false positives in IPS signatures, and I would like to see the reason (conditions) for generating alert.Thanks
Steven_Lucas
Steven_Lucas inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 513 2 1

DNS Reputation Exception

I am trying to white-list a single domain for DNS Reputation prevents. Currently, it seems like the only option is to make exceptions for all of our DNS servers, effectively turning off DNS Reputation checks for DNS lookups in our company. The domain is a employee awareness training like for phishing that is publically available, so it technically is a phishing site and should not necessary be re-categorized, but we'd like to whitelist it for our company during our phishing tests.Has anyone ever had to do this before?
Peter_Elmer
inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 1180 1 10
Employee

R80.30 Packet Processing - Achieving Infinity

This video explains the packet processing architecture enforcing the Infinity Gen V prevention functionalities NGTX. You will understand how SecureXL, CoreXL and Multi-Queue handle packet streams and how the NGTX engine applies security. The packet processing explained here is valid as well for R80.10 and R80.20. In the video you will find references to recommended SecureKnowledge articles used as a source for this video. LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-NjNHl4aDE60ZV9xCBQeS8Ti33p_AWg_Cw1600h900r501', 'NjNHl4aDE60ZV9xCBQeS8Ti33p_AWg_C', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)
SantiagoPlatero
SantiagoPlatero inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 3659 14 4

SMTP encrypted session bypassed, yet attachments are emulated

Hi community long time no see (dunno why these days can't login to CheckMates), I'm seeing some strange things in the Firewall and Threat Emulation logs, but first some context:- R80.20 GA Management- R80.10 Security Gateway, with Threat Emulation blade enabled (emulation occurs in the Check Point Cloud), MTA enabled and imported the SSL certificate of our local antispam to inspect TLS SMTP connectionsThe incoming email flow for our organization is like this:- The MX entries for our mail domain has as its highest priority some servers provided by TrendMicro (the service it's called TrendMicro Cloud Pre-Filter), which basically work as a cloud antispam and receive the mails on a TLS session- Then the cloud MTA forwards the email to our local antispam (also a TrendMicro VM appliance deployed on our DMZ) on a TLS session, which also analyze the incoming mail and then forward it to the Security Gateway (also on a TLS session, and if I'm not wrong it uses the SSL certificate I imported to the Security Gateway)- The Security Gateway do its thing and forward the mail to the MS Exchange, and the mail arrives then to the clientThe strange thing is I have a lot (A LOT) of SMTP traffic bypassed logs (encrypted session) in the Security Gateway, but also I have logs of the attachment of these TLS connection are been emulated, so it appears the Security Gateway can't decrypt the TLS connection, but in the same time it's capable to strip the attachment to upload for emulation?!The header of some test mail I sent shows the connection between our antispam and the Security Gateway is in fact TLS and then I have a bypass log for the same email session:X-MTA-CheckPoint: {5BBF4235-0-A00A8C0-129C07B6}Received: from myantispam (unknown [10.10.0.4]) by Security Gateway (Postfix) with ESMTPS id ACFF41B0FA6 for <splatero@domain.com.ar>; Thu, 11 Oct 2018 09:29:41 -0300 (ART)The SMTP bypass log:Time: 2018-10-11T12:29:42ZInterface Direction: outboundInterface Name: eth2Email Control: SMTP Policy RestrictionsEmail Session ID: 5BBF4235-7-A00A8C0-C0000001Information: Encrypted sessionSource: 10.10.0.4#Source Port: 43182Destination: 10.10.0.10Destination Port: 25IP Protocol: 6Action: BypassType: LogBlade: FirewallService: TCP/25Product Family: AccessInterface: eth2Description: smtp Traffic Bypassed from (10.10.0.4) to 10.10.0.10The TE log:Time: 2018-10-11T12:29:46ZSource: 10.10.0.4Destination: 192.168.0.10IP Protocol: 6Destination Port: 25Threat Prevention Rule Id:DA846A34-636B-4B7A-A75C-0F72DC130D1EScope: 192.168.0.10File Name: test.pdfFile Type: pdfFile Size: 215615File MD5: 265c632b5d24d09f1e20d763ab8f3ee4File SHA1: a6e5d9577005cbb3e2ad013ee71d4baf85a2d299File Sha256: 361d4f8bc67527b1e9d2231cc340a53a09d7935f4c9af99923f62227bd29dddaVerdict: BenignAnalyzed On: Check Point Threat CloudDetermined By: Win7,Office 2013,Adobe 11: static analysis. WinXP,Office 2003/7,Adobe 9: static analysis. Protection Type: SMTP EmulationNote: some log fields where deleted o modified to keep confidentiality of the organization.So, the main question is: I should ignore the SMTP bypassed logs or I'm missing something? My fear is I could be missing some potentially malicious attachment on incoming SMTP TLS traffic flows.Thanks mates.
Departament_Sis
Departament_Sis inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 187 2 1

Policy Violation on MTA with Thread Emulation/Extraction

Hi mates!This is my very first post so i'll try to do my best.We are facing a strange issue where immedately after enabling the Thread Emulation and Thread Prevention blades (along with the MTA) on the checkpoint cluster, all mail traffic flow stops.Our mail flow setup consists of 2 Exchange 2010 Edge Transport servers in our DMZ, and 2 Exchange hub Transport servers in the internal security zone, all of them connected with a Edge Subscription. All security zones are connected via our 15400 two-node ClusterXL, on R80.10.The behavior is really strange because when we enable the blades and the MTA, all mail queues stop delivering and the Exchange queue viewer show a "POLICY VIOLATION" error.Please don't hesitate to ask for further information. Lot of thanks
MKnox
MKnox inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 324 5

"Release Date" and "Update Date" column of the IPS Signature Export formatting incorrectly

Hello, this is my first post, so apologies if posted in an incorrect category. Is there a way to configure the date format in SmartConsole prior to exporting to csv?When I export the IPS signatures from the R80.10 dashboard, the csv output appears to be generated with two formats in the Release/Update Date columns (columns C & D). I don't recall having this issue in R77. The dashboard view within SmartConsole shows the date format to be DD/MM/YYYY, yet only a subset of the exported signatures follow this format. The other signatures appear to be formatting as MM/DD/YYYY. Along with the mismatch date formats, the values are inputted differently as well, either as MM/DD/YYYY or DD-MM-YY. This makes filtering the output challenging as I show some release dates coming up as December 2, 2019 when it should be February 12, 2019. Formatting the columns after the export doesn't appear to effect the way excel interprets the values (there may be a setting in Excel to address, If so, please let me know. My excel limitations are just not familiar one). Thank you in advance, Marcus