Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RichUK
Contributor

Standalone Log Server Downloads Alerts by Content Awareness

Hi all,

Can anyone explain why the standalone log server is every 10 minutes trying to download files from checkpoint for what looks like threat emulation updates? There are a few different files it tries to download.

Each connection shows an alert from Content Awareness, saying there is an error processing the file.

I first noticed the connection under the heavy connections, it shows in there a lot.

[fw_30]; Conn: 10.x:64096 -> 2.16.118.169:80 IPP 6; Instance load: 63%; Connection instance load: 83%; StartTime: 03/02/22 11:43:45; Duration: 9; IdentificationTime: 03/02/22 11:47:56; Service: 6:80;
[fw_31]; Conn: 10.x:62158 -> 2.16.118.169:80 IPP 6; Instance load: 61%; Connection instance load: 76%; StartTime: 03/02/22 11:05:21; Duration: 6; IdentificationTime: 03/02/22 11:08:00; Service: 6:80;
[fw_31]; Conn: 10.x:47126 -> 2.16.118.169:80 IPP 6; Instance load: 60%; Connection instance load: 96%; StartTime: 03/02/22 05:53:53; Duration: 4; IdentificationTime: 03/02/22 05:55:29; Service: 6:80;

smartevent.jpg

Many thanks

Rich

 

6 Replies
_Val_
Admin
Admin

What do you mean by "Standalone Log Server"? Which blades are active?

0 Kudos
RichUK
Contributor

Hi @_Val_ 

It is a management server, but defined as a Log Server / SmartEvent Only.

smartlog.jpg

It is downloading the following files every 10 mins and causing CPU spikes on the security gateways.

/opt/CPuepm-R81.10/engine/conf/updates/data/tmp/

sop.jpg

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi 

I have sent your questions to the relevant R&D Owner and will reply here once I hear back.

BR

Tal

0 Kudos
RichUK
Contributor

Hi @Tal_Paz-Fridman 

 

Just an update,

I've noticed this in /opt/CPuepm-R81.10/engine/conf/updates/bin/sophos/logs/sophos_updates.log

sophosupdate.jpg

I have also disabled the compliance automatic updates, it was set to use a previous staff's account and I don't believe we are using compliancy checking. However, it is still downloading the files every 10 mins.

updates.jpg

 

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi again,

According to R&D if you Endpoint Management in your environment all Check Point devices like Log Servers also download the Sophos files.

Log Servers (and other devices) serve Endpoint Clients that need to download Sophos signatures and must include the latest files.

0 Kudos
_Val_
Admin
Admin

Ok, now it makes sense. I would put the server to an exclusion list for now. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events