This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SantiagoPlatero
Collaborator
‎2016-03-30 12:15 PM
Jump to solution

Threat Emulation logs, detect instead of prevent

Hi all

I'm having issues with the TE blade. Despite I have the activation mode for some traffic in "prevent" by all cases, I see some logs with the "detect" action.

I already tried the suggested in sk106119 and sk106251, without success.

Before I talk to my local partner or open a SR I was wondering if could be some wierd incompatibility between the R80 mgmt and R77.30 gw?

Thanks lads

0 Kudos
1 Solution

Accepted Solutions
amir_olswang
Employee Alumnus
Employee Alumnus
‎2016-04-03 01:01 AM
Jump to solution

This is the answer I got:

From logs it looks like it is a known malware so it is likely that it was also dropped by AV.

The way that it works is that while TE is emulating other blades might decide to drop the connection. By the time TE is setting the connection to drop it is no longer in the table and the blade does not know if the connection was dropped or not so it produces a detect log.

In the second time the file is in the cache so it is prevented at roughly the same time it is prevented in AV so there is no discrepancy in the logs.

Can you check if this makes sense in your environment?

View solution in original post

0 Kudos
3 Replies
amir_olswang
Employee Alumnus
Employee Alumnus
‎2016-03-30 12:33 PM
Jump to solution

Hi Santiago,

I am not aware of such an issue.

Can you send a screen shot of this log.

Thanks,

Amir

0 Kudos
SantiagoPlatero
Collaborator
‎2016-03-31 11:44 AM
In response to amir_olswang
Jump to solution

Hi Amir,

I attached two logs, close both in time, with the same malicious file detected, one with detect action and other with prevent one

fwlog1.jpg

fwlog2.jpg

Thanks!

0 Kudos
amir_olswang
Employee Alumnus
Employee Alumnus
‎2016-04-03 01:01 AM
Jump to solution

This is the answer I got:

From logs it looks like it is a known malware so it is likely that it was also dropped by AV.

The way that it works is that while TE is emulating other blades might decide to drop the connection. By the time TE is setting the connection to drop it is no longer in the table and the blade does not know if the connection was dropped or not so it produces a detect log.

In the second time the file is in the cache so it is prevented at roughly the same time it is prevented in AV so there is no discrepancy in the logs.

Can you check if this makes sense in your environment?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events