Re: meaning of Anti-virus blade Log "Action detail...

FM · ‎2020-05-08

Hello Checkmates,

Can you help me understand the value "bypass" under column M "Action details" in the Anti-virus blade Log. And why the traffic was allowed although the rule was to prevent?

The Threat Prevention rule of the Anti-Virus and Anti-Bot rule for "Confidence Level = High" and "severity = High" is to prevent but the traffic was allowed with action "Detect".

Time

Type

Action

Resource

Protection Name

Destination

Confidence Level

Severity

Blade

Protection Type

Malware Action

Correlation Unit Category

Action Details

May 4, 2020 2:36:25 PM

Correlated

Detect

http://googe[.]com/

Phishing_website.TC.xyuns

162.243.10.151

High

Anti-Virus

URL Reputation

Access to site known to contain malware

Legacy;Threat Prevention

bypass

May 4, 2020 2:36:24 PM

Log

Detect

http://googe[.]com/

Phishing_website.TC.xyuns

162.243.10.151

High

Anti-Virus

URL Reputation

Access to site known to contain malware

bypass

PhoneBoy · ‎2020-05-10

Is the gateway set to Hold or Background?
I could see that happening if set to Background, where there may be a delay before the gateway receives the exact classification and the connection was short (and thus couldn't be prevented in time).

FM · ‎2020-05-11

Spot on! - it is set to Background.

What are the pros and cons of setting it to Hold. What is the average delay of a hold?

Thanks

FM

TP_Master · ‎2020-05-11

Hi,
It's explained here: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ThreatPrevention_AdminGuide/...

Let us know if you have any further questions.

FM · ‎2020-06-29

I read the general description of the three different options, but what i am looking for is an expert's insight about setting the Resource categorization mode to "Hold" -- is the latency noticeable to the end user?

Hold - connections are blocked until categorization is complete - When a connection cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.

Thank you

FM

PhoneBoy · ‎2020-06-29

It can be, yes, depending on the circumstances.

FM · ‎2020-08-03

We finally changed the setting to HOLD on 2020-07-23 but it allowed 3 in Detect in stead of Prevent. See attached screen capture showing the resource Categorization setting as "Hold"; and a table showing the allowed traffic in Background mode. The traffic fulfill the conditions for the traffic to "Prevented"--Confidence level = "High" and Severity "High" or "Critical". Can you tell me why the vendor list value for one of the events is blank?

Time	Malware Action	Vendor List	Description
Jul 29, 2020 2:04:34 PM	Malicious file/exploit download
Jul 29, 2020 2:04:31 PM	Malicious file/exploit download	Check Point ThreatCloud	Connection was allowed because background classification mode was set. See sk74120 for more information.
Jul 29, 2020 12:43:28 PM	Malicious file/exploit download	Check Point ThreatCloud	Connection was allowed because background classification mode was set. See sk74120 for more information.

PhoneBoy · ‎2020-08-03

Did you push policy after making that change?
If so, you may want to involve the TAC.

FM · ‎2020-08-03

I am waiting for the Network admin to confirm if he did "Push Policy".

If it has the same effect? we did "Push Policy" after our weekly IDS protection rule update on Wed 7/29/2020 6:10 PM-- the time of the push policy was after the 3 events that were allowed at Jul 29, 2020 2:04:34 PM and could not have applied.

PhoneBoy · ‎2020-08-03

Pretty sure changing the profile requires an explicit policy push versus the automatic update of IPS signatures, which doesn't require an explicit policy push to take effect.

Checkpoint_GoSe · ‎2020-06-02

A side question for you, perhaps you can help.

Some traffic on Anti-bot blade I am monitoring is currently allowing traffic through as Detect and not Prevent even though the gateway is set to 'Hold' and not 'Background'. The Threat Prevention policy is also set to Prevent. I found no exceptions that could interfere with this. On R80.30 btw

Timothy_Hall · ‎2020-06-02

Need to see the redacted log card for this event to assist. In the meantime, check the Activations tab for all the circled Protection classes below:

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

Checkpoint_GoSe · ‎2020-06-03

According to the log, the protection type is listed as 'DNS Reputation'.
In the menu you showed above, I do not have a protection with this name. I have only the ones you circled in red.

Timothy_Hall · ‎2020-06-03

Pretty sure DNS Reputation is part of "Reputation Domains" or possibly "Reputation IPs". And the Activations for these two categories are set to what for your TP profiles?

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

Checkpoint_GoSe · ‎2020-06-30

Both categories are set to Prevent.

I did find another source that says that DNS Reputation will always be set to Detect and this config can't be changed.

Perhaps this is the cause?

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Threat-Prevention-is-Not-Block-DNS-...

meaning of Anti-virus blade Log "Action details = bypass"