Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NorthernNetGuy
Advisor

MTA and threat emulation behavior and logs

Sometimes when we get a threat coming in via e-mail, we only see logs from the MTA and Anti-spam/anti-bot blades, even when these e-mails contain links and attachments. Fortunately our secondary anti spam and malware appliance is able to detect and block these.

 

I would expect because of the attachments and links, this traffic would get processed by threat emulation and threat extraction. I see t he MT A has flagged it as a threat with 1 link and 1 attachment, but no forensics.

I find  that I'll still see threat emulation logs for e-mail attachments, not sure why I don't see them in some cases. 

 

the MTA log doesnt show the file name, and looking at threat emulation and extraction logs around the same time frame comes up with no related results.

Is this normal behavior, and I'm just not understanding the blades correctly?

2020-01-30_10h30_38.png

 

2020-01-30_10h31_34.png

2020-01-30_10h32_58.png

0 Kudos
7 Replies
Wolfgang
Authority
Authority

David,

your shown messages are detected with malicious code ( links, text etc.) from the AntiSpam blade.

They are not blocked, they are flagged with „suspected spam“ and delivered to the next hop. This behaviour is configured via the AntiSpam-Blade.

If you want to remove these type of links from the message, you have to enable this function in your ThreatPreventionProfile for the MTA under the mail part.

Wolfgang

0 Kudos
NorthernNetGuy
Advisor

Hi Wolfgang,

 

I do have those options enabled. From what i'm understanding you're saying, if the AV blade detects something, even at a medium confidence level, then the threat extraction and threat emulation blades will be ignored.

Wouldn't it be beneficial if the AV blade has a medium confidence level to have the mail still process through the other blades to see if they detect something at a higher confidence level?

 

2020-01-30_15h10_09.png

 

 Edit* added in a better screenshot with more info 

0 Kudos
Wolfgang
Authority
Authority

David,

you wrote "From what i'm understanding you're saying, if the AV blade detects something, even at a medium confidence level, then the threat extraction and threat emulation blades will be ignored."

No, definitely not. Both blades are processing those messages. But something of the content of your message is only detected by the AntiSpam blade. Maybee an offer like for **bleep** enlargements or anything else like this. This is called SPAM, not really malicious but unwanted. If you want to block these with AntiSpam blade you have to change the SPAM level behaviour.

It looks like the other blades didn't detect any malicious content. You can take the information about these content from your other mail-scanning solution and check with Check Point if this is  known to Check Point.

Wolfgang

0 Kudos
NorthernNetGuy
Advisor

Maybe i'm misunderstanding the logging behavior.  I thought I would see line items for the threat emulation blade in the logs, even when they pass/accept, not just the MTA and anti spam logs.

Our secondary MTA detonated and detected the attachments on these emails as containing malware and blocked them, not as spam.  unfortunately I can't get the attachments to detonate in the sandblast cloud now to see if it was just sandblast that couldn't detect them after detonation.

Checking back, I don't see the logs for threat emulation for attachments from occasional senders after installing MTA jumbo take 37 (r80.30), but I do before that take.

 

 

0 Kudos
Deepak_Z
Explorer

Hi Still dont think we have a answer here, 

we can see MTA logs but no emulation, and the mail is passed with out any action.

shouldn't this be scanned?

0 Kudos
Norbert_Bohusch
Advisor

Which blades are active on the gateway and how is the threat prevention rule for MTA configured (which profile etc.)

Deepak_Z
Explorer

HI Norbert, first of all thanks for the response,

currently we have antibot antivirus threat emulation and extraction enabled on the gateway,

we are  emulating mail traffic for which we have enabled MTA.

Now i get calls from customer  that particular mail containing malicious links has been skipped by ATP, and  after checking logs  i can only see MTA logs and  no emulation or extraction log.

 

we have setting of max delay to 25 mins.

 

 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events