cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Threat emulation log Detect

Hi we have seen an issue with a file being allowed through threat emulation as detect instead of prevent at a customer. We have looked over the SKs but cant seem to find one that is applicable except maybe a timeout issue to ted daemon we found in an SK. 

 

We have background mode in Anti virus/anti-bot under Manage settings/threat prevention settings but at the profile for threat emulation we have hold. Can this mismatch cause an issue? We thought Threat emulation would always hold but can it be affected by having background on antivirus?

 

Here is the logs of TE on the GW and TEAppliance aswell as antivirus. Anti virus is set to background so it gets detect correctly. But emulation is hold, it also just says detect without a reason.

 

TECONF.PNGAVdetect.PNGTedetectGW.PNGTEdetect.PNG

We found something regarding a timeout value for ted in an sk and it might be the case, the logs had been rotated out when we saw the issue so cant inspect further. We are wondering if this mismatch can cause this issue or if it must be the timeout issue to ted daemon or if it can be something else.

 

 

0 Kudos
2 Replies

Re: Threat emulation log Detect

You can go into the Threat Prevention settings and check what your emulation size and timeout limits are:

2019-04-18_10-35-16.jpg

 

If you are using Cloud Emulation, you can use the command tecli show cloud queue to see if things are getting stuck in queues for long periods. If you are doing Threat Emulation with an on-prem appliance, I believe the command is tecli show remote queue from the Gateway enforcing the TE policy.

 

Can you expand the Threat Emulation dropdown from the 1st screen shot and show us how TE is configured in this policy?

 

0 Kudos

Re: Threat emulation log Detect

TECONF2.PNG

 

This is it. The size is below the time i cant say, but generally when these limits are hit it says so in the log file "maximum size/time limit exceeded".

 

0 Kudos