Showing results for 
Search instead for 
Did you mean: 
Post a Question
Vladimir inside IPS, Anti-Virus, and Anti-Bot yesterday
views 37 1

Identifying server type specific protections

When we define a server type, there is a subset of specific protections that should be activated for those, that may be different from those activated by default in the profile definitions. Is there a way to identify these protections in advance? Thank you, Vladimir
Vladimir inside IPS, Anti-Virus, and Anti-Bot yesterday
views 34 1

Disable applications requiring HTTPS inspection from being shown as choices.

When the URLF/App Control blade is enabled, we are presented with the large selection of the applications and widgets that could be used in the policies. Unfortunately, when HTTPS inspection is not enabled, a lot of those are not taking effect and we are made aware of this fact during policy installation notification. Is there a way to suppress non-applicable choices from being displayed or for them to be grayed-out? Thank you, Vladimir

IPS ver2 signatures

Hello CheckMates, I often notice multiple versions of the same signature (same CVE), but marked with '- ver2' at the end of the name.Should this be considered an improved signature of the original (hence it's better to make the normal one Inactive and use the ver2 one) or should this be considered more like a different attack vector for the same vulnerability?It's a bit confusing since the old signatures don't get disabled or get something added in their description to clarify. Other times I see improved signatures marked explicitly with '- High confidence' or '- Improved confidence' at the end of the name.So I decided I might as well go and ask 🙂Kind regards,Nik Bloemers

Deleting a single SNORT Protection

Team, I have a customer who has been using SNORT protections for a while and they recently updated some more SNORT protections but now they want to delete a single SNORT protection. Is this possible? Looking at the admin guide it seems like we can only delete all the snort protections at once. Please advise of any workarounds available!
Diego_Vigano inside IPS, Anti-Virus, and Anti-Bot Thursday
views 327 11 1

Anti-Bot protection "Trojan.Win32.Password-Unencrypted.A"

Hi,yesterday, during automatic scheduled update, a protection named "Trojan.Win32.Password-Unencrypted.A" was installed blocking all http connection.As a workaround I change the protection from "prevent" to "detect".Now, I can't find the protection in my database nor in the wiki, what's happened? How can I know if hte protection was retired?kr,Diego

High bandwidth consumed by blocked traffic in Smart Event Report

Hi Everyone,Smart Event report is showing blocked traffic consuming heavy bandwidth which is shown in the high bandwidth category. We are not able to comprehend why it is being shown on high bandwidth application category and does our internet traffic is affected by checkpoint blocking rules?Screenshot is attached herewith.

Is there SNI support for inbound HTTPS inspection in R80.20?

Hi,on gws R80.20 can I do HTTPS inspection on inbound connections that require SNI since on the server there are some virtual hosts with different certificates? If yes how? Thanks in advance

IPS Protection available for critical Windows vulnerability (CVE-2019-0708)- Protect Yourself NOW

***IPS PROTECTION NOW AVAILABLE*** Check Point has released an IPS protection (Severity: Critical) for CVE-2019-0708 as an immediate response and it is added to our previous recommendations to patch vulnerable systems and disable RDP if not needed . See full details : Previous recommendations
inside IPS, Anti-Virus, and Anti-Bot Tuesday
views 2303 1 5

Critical Vulnerability in Windows OS (CVE-2019-0708) - Announcement - ***UPDATED***

Critical Vulnerability in Windows OS - Code execution using Remote Desktop Protocol (CVE-2019-0708) ****IPS protection NOW AVAILABLE**** In BriefIn the last few days, Microsoft has released information about a critical vulnerability in the Windows operating system (CVE-2019-0708). This vulnerability allows remote code execution by an attacker directly from the network using the Remote Desktop Protocol (RDP) in remote desktop services that affects older versions of windows used by many users worldwide. This attack may effect many computers in every sector and industry including finance, healthcare, government, retail, industrial and others. Key Risks: An arbitrary attacker from the net can carry out a complete takeover of a private PC within public networks, such as Wi-Fi hotspots. Embedded devices such as ATMs or IoT Devices are most vulnerable for takeover. PCs within organization’s network are also vulnerable to a takeover using lateral movement within the network. Why Is This So Important?As this vulnerability is placed at the pre-authentication stage and does not require any user interaction it would allow any arbitrary attacker on the internet to execute malicious code on a victim’s private system and allow for a total takeover of a PC within any network, such as Wi-Fi hotspots, public networks and private and corporate networks. According to Microsoft in order to exploit this vulnerability, an attacker would have to send a specially tailored request to the target systems’ Remote Desktop Service via RDP. Given the nature of the vulnerability, once a host is infected there is great risk of lateral movement to infect other connected hosts on the same network.To clarify the potential exploitation of this vulnerability, it could be used in a very similar manner as that of the 2017 WannaCry attack that caused catastrophic disruption and sabotage to thousands of organizations across all industries worldwide. Who Is Affected?Those using certain versions of Microsoft Windows 7 and Windows Server 2008 are at risk from this vulnerability. Customers running Windows 8 and Windows 10 are not affected by this vulnerability due to these later versions incorporating more secure updates.Those most at risk, among others, are those working with embedded devices such as ATMs in the banking sector and IoT devices in the healthcare industry. This is due to older versions of Windows known to be the systems behind these operations as well as them being prized targets for cyber criminals. As a result, since this vulnerability was announced, security professionals in hospitals and banks have been working diligently to patch their systems. How to Protect Yourself We have released an IPS protection for CVE-2019-0708 as an immediate response - Click here Block the RDP protocol on Check Point gateway product and endpoint SandBlast agent. Instructions for Check Point R77.x and R80.x are detailed in the attached "how to guide" detailed in this post. If you are using RDP for mission critical systems – configure the Check Point gateway and endpoint product to accept connections only from trusted devices within your network. Instructions included in the attached "how to guide" detailed in this post.. Disable RDP on your Windows PC and servers (unless used internally) and deploy the Microsoft patch. Please note that your ability to identify vulnerable systems when used in IoT devices (corporate, finance, industrial and healthcare systems) is limited – therefore it is recommended to follow steps 1 & 2 even if patch is installed. Currently, while Check Point researchers are investigating this vulnerability and monitoring any relevant activity in the wild, we recommend all IT professionals to deploy Microsoft patches according to the MS Security Update Guide.See here a quick "how to" guide with detailed step-by-step instructions. Check Point Security Gateway and Check Point CloudGuard IaaS We need to decrease the risk by limiting and or blocking the Remote Desktop Protocol service (port 3389). The following steps are applicable or both Check Point Network Security Gateway and Check Point CloudGuard IaaS products. Open Smart Dashboard Define new rule, with Access Role on the source Define as specific as possible the source that will use RDP service, such as: Users (trusted users) Machines: Specific machines within a trusted network *Note: A combination of both is preferred. Define trusted Users to use Remote Desktop Protocol service: On the Security Policy, in the rule base, make sure 1 rule will allow Remote Desktop Protocol as specific as possible using the Access Rule group as seen in the above screenshots under TrustedUsers-Machines Check Point Endpoint Security Sandblast Agent In Endpoint security server, configure the entire organization policy for Firewall to limit remote desktop protocol (3389). Firewall policy rules to be configured to allow only specific Networks and Machines, and can be applied to specific Users Here are the the OS versions vulnerable according to Microsoft Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
inside IPS, Anti-Virus, and Anti-Bot Tuesday
views 1538 5 6

An update regarding CVE-2019-0708, a Remote Code Execution vulnerability in Remote Desktop Services

As part of the Microsoft May release, MS has announced on a Remote Code Execution vulnerability in Remote Desktop Services, CVE-2019-0708. At this time, there are no indications of the vulnerability exploited in the wild or the existence of a public PoC. Check Point researchers are investigating this and monitoring any relevant activity in the wild. Check Point recommendation is to monitor affected systems and deploy MS fix according to MS Security Update Guide. Customers who do not need a Remote Desktop Protocol can block the protocol on the Gateway and EndPoint Firewalls.


Do we have any IPS signature for the CVE-2019-0708?What's the best recommendation in this case for our customers? Regards

DNS Malware trap - DNS servers

Hello CheckMates,Can anyone explain to me what adding the internal DNS servers to the DNS trap configuration actually does?The only thing I can find in the documentation is 'to better help identify the origin of malicious requests', but it's not like we can see the client IP that the DNS request originates from.I've built a test setup in VM's to compare the difference of the logs with and without the DNS server defined, and I see no difference in the log cards. This is with both the client to DNS server and DNS server to public DNS requests going through the gateway.I hope someone knows more about this.
BeaconBits inside IPS, Anti-Virus, and Anti-Bot a week ago
views 115 5

How packet flow works inside the IPS blade..?

Hello Everyone, I am troubleshooting one of the issue that involve the IPS. But I'm unable to understand the IPS behaviour in terms of packet flow inside the IPS blade. Can anyone share the IPS structure in Checkpoint firewall? The administrative document does not explain well instead of configuration. Regards, B
Stan_Mazur inside IPS, Anti-Virus, and Anti-Bot a week ago
views 41 1

STIG Validations IPS

DISA certify 4000,5000,15000 and 23000 series appliance. Since we migrated to 4000 running R77.30 and enableIPS blade, and move it new location. Here's my question according toNavy requires the firewall and IDS/IPS to be separate components. Does IPS Blade works like separate device on Firewall appliance. Has anyone come across STIG validations wherethey had IPS blade enable instead of a separate device and did it pass the audit. If you did,how did you respond tothere requirements. Thanks

CVE-2017-9841 not found on IPS Signature list on Checkpoint

Hi Everyone,CVE-2017-9841 is not included in IPS protections list of Checkpoint. Our network is continuously detecting this one which is prevented by our core firewall Cisco Firepower, but not by Checkpoint which is deployed at perimeter.CVSS v3.0 Severity and Metrics considers this CVE as a critical one having Base Score: 9.8 With Regards,Bishal