This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ED
Advisor
‎2018-06-27 05:22 AM

IPS protection set to detect from prevent after update

Hi,

This is probably logical but may sometimes surprise you or lead to unwanted action for a IPS protection. Here is the case for "Apache Struts2 Content-Type Remote Code Execution" protection.

This attack protection was released in 07/03/2017 and updated 03/06/2018. The protection action was set to Prevent before the update date. Now since a new update on that protection happened on 03/06/2018 it was set to Detect because of the stage mode. Since you could have installed both "Access control" and "Threat Prevention" for a policy without clearing the stage mode, or a colleague of your IT-team the action is now set to Detect even if it was previously set to Prevent.

Proof of this: Notice the date after 02/06/2018 that it's set to Detect

I wish that an update of a protection that was set to Prevent remains like that even if there is a new update of that same protection. What do you guys think about this? 

Check Point software does not use the Apache Struts 2.X, therefore Check Point software is not vulnerable to any Apache Struts 2 vulnerability. But it could have been something that could affect your system. 

0 Kudos
3 Replies
Tomer_Sole
Mentor
Mentor
‎2018-06-27 05:44 AM

Hi. see IPS Protections in Detect (Staging)  (3rd bullet and then how you can automate that)

ED
Advisor
‎2018-06-27 06:05 AM
In response to Tomer_Sole

Thank you Tomer. Somehow my brain thinks on newly downloaded protections to be completely new, not impacting already existing protections who got a new update for that same protection. 

The staging exclusion is good by using severity/performance impact and/or using categories. What about a third option that keeps an existing protection to remain in same action even if gets an update for that same protection. What do you think about that and is there any problems with an approach like that?

Tomer_Sole
Mentor
Mentor
‎2018-06-28 12:22 PM
In response to ED

The motivation behind it is that if a protection gets updated, that's new code. So there is the possibility of a new false-positive that wasn't there before.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events