This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Jeff_Gao
Advisor
‎2019-02-12 11:09 PM

Anti-Virus log prompt: "background classification mode was set"

Dear 

FW:23500     Version:R80.10       Hotfix:R80_10_JUMBO_HF_Bundle_T56_sk11638

I have set hold mode,refer to screenshots below:

TP configuration as follow:

But the log shows as follow:

Description:

                  Connection was allowed because background classification mode was set. See sk74120 for more information.

"loop.sawmilliner.com" is a C2 and malware site,as follow:

I have set classification mode to hold,why still show "background classification mode was set"

Thanks!

Reply
10 Replies
_Val_
Admin
Admin
‎2019-02-13 02:10 AM

You are looking to the wrong Software Blade. Threat Prevention is for downloads. For Site classification, you need AC and URL Filtering to be changed.  

Reply
Jeff_Gao
Advisor
‎2019-02-13 03:48 AM
In response to _Val_

Thanks,but log match anti-virusblade.This behavior is in the DNS request phase.Can't it be blocked by tp at the DNS request stage?

Reply
G_W_Albrecht
Champion
Champion
‎2019-02-13 05:00 AM
In response to Jeff_Gao

Look here:

0 Kudos
Reply
Jeff_Gao
Advisor
‎2019-02-13 05:06 AM
In response to G_W_Albrecht

Thanks,I will try it.

Reply
Gaurav_Pandya
Advisor
‎2019-04-16 11:18 AM
In response to Jeff_Gao

Hi,

I have the same issue. I have put the URL filtering setting to Hold mode but still i am getting same logs of "It is allowed because background classification mode was set" in the logs.

0 Kudos
Reply
That_CP_Guy
Explorer
‎2019-07-03 12:33 PM
In response to Gaurav_Pandya

Was this ever resolved? I am facing the exact same issue. Thanks.

Reply
Hely_C
Explorer
‎2019-10-24 05:39 AM
In response to That_CP_Guy

I am also facing same issue. anyone has an idea?

Reply
Craig_Myers
Explorer
‎2019-11-07 06:57 AM
In response to Hely_C

I have a customer with this same issue.  Does Check Point have a configuration fix for this or is this a bug?

0 Kudos
Reply
Angel_Lumbreras
Explorer
‎2019-11-12 12:00 AM
In response to Gaurav_Pandya

Hello, same issue here, any news about it?

0 Kudos
Reply
Trevor_Bruss
Contributor
‎2020-01-14 08:29 AM

Isn't this because Checkpoint changed how DNS classification occurs? So check out:

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Even though in your policy you've set Hold that will be relevant only for http, smtp, and smb. DNS will still be in background mode for optimization purposes. You'd have to manually change that in you malware_config file on the gateway if you want DNS to be in Hold mode as well.

I think what you are seeing here is normal based on the log you showed as this was a DNS query that got bypassed.

0 Kudos
Reply