This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RichUK
Contributor
‎2022-02-03 09:59 AM

Standalone Log Server Downloads Alerts by Content Awareness

Hi all,

Can anyone explain why the standalone log server is every 10 minutes trying to download files from checkpoint for what looks like threat emulation updates? There are a few different files it tries to download.

Each connection shows an alert from Content Awareness, saying there is an error processing the file.

I first noticed the connection under the heavy connections, it shows in there a lot.

[fw_30]; Conn: 10.x:64096 -> 2.16.118.169:80 IPP 6; Instance load: 63%; Connection instance load: 83%; StartTime: 03/02/22 11:43:45; Duration: 9; IdentificationTime: 03/02/22 11:47:56; Service: 6:80;
[fw_31]; Conn: 10.x:62158 -> 2.16.118.169:80 IPP 6; Instance load: 61%; Connection instance load: 76%; StartTime: 03/02/22 11:05:21; Duration: 6; IdentificationTime: 03/02/22 11:08:00; Service: 6:80;
[fw_31]; Conn: 10.x:47126 -> 2.16.118.169:80 IPP 6; Instance load: 60%; Connection instance load: 96%; StartTime: 03/02/22 05:53:53; Duration: 4; IdentificationTime: 03/02/22 05:55:29; Service: 6:80;

smartevent.jpg

Many thanks

Rich

 

6 Replies
_Val_
Admin
Admin
‎2022-02-07 12:09 AM

What do you mean by "Standalone Log Server"? Which blades are active?

0 Kudos
RichUK
Contributor
‎2022-02-07 12:18 AM
In response to _Val_

Hi @_Val_ 

It is a management server, but defined as a Log Server / SmartEvent Only.

smartlog.jpg

It is downloading the following files every 10 mins and causing CPU spikes on the security gateways.

/opt/CPuepm-R81.10/engine/conf/updates/data/tmp/

sop.jpg

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2022-02-07 02:41 AM
In response to RichUK

Hi 

I have sent your questions to the relevant R&D Owner and will reply here once I hear back.

BR

Tal

0 Kudos
RichUK
Contributor
‎2022-02-07 05:37 AM
In response to Tal_Paz-Fridman

Hi @Tal_Paz-Fridman 

 

Just an update,

I've noticed this in /opt/CPuepm-R81.10/engine/conf/updates/bin/sophos/logs/sophos_updates.log

sophosupdate.jpg

I have also disabled the compliance automatic updates, it was set to use a previous staff's account and I don't believe we are using compliancy checking. However, it is still downloading the files every 10 mins.

updates.jpg

 

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2022-02-08 04:52 AM
In response to RichUK

Hi again,

According to R&D if you Endpoint Management in your environment all Check Point devices like Log Servers also download the Sophos files.

Log Servers (and other devices) serve Endpoint Clients that need to download Sophos signatures and must include the latest files.

0 Kudos
_Val_
Admin
Admin
‎2022-02-07 03:00 AM
In response to RichUK

Ok, now it makes sense. I would put the server to an exclusion list for now. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events