This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Filip_Wennerhul
Participant
‎2019-04-18 02:18 AM

Threat emulation log Detect

Hi we have seen an issue with a file being allowed through threat emulation as detect instead of prevent at a customer. We have looked over the SKs but cant seem to find one that is applicable except maybe a timeout issue to ted daemon we found in an SK. 

 

We have background mode in Anti virus/anti-bot under Manage settings/threat prevention settings but at the profile for threat emulation we have hold. Can this mismatch cause an issue? We thought Threat emulation would always hold but can it be affected by having background on antivirus?

 

Here is the logs of TE on the GW and TEAppliance aswell as antivirus. Anti virus is set to background so it gets detect correctly. But emulation is hold, it also just says detect without a reason.

 

TECONF.PNGAVdetect.PNGTedetectGW.PNGTEdetect.PNG

We found something regarding a timeout value for ted in an sk and it might be the case, the logs had been rotated out when we saw the issue so cant inspect further. We are wondering if this mismatch can cause this issue or if it must be the timeout issue to ted daemon or if it can be something else.

 

 

0 Kudos
3 Replies
Daniel_Taney
Advisor
‎2019-04-18 07:41 AM

You can go into the Threat Prevention settings and check what your emulation size and timeout limits are:

2019-04-18_10-35-16.jpg

 

If you are using Cloud Emulation, you can use the command tecli show cloud queue to see if things are getting stuck in queues for long periods. If you are doing Threat Emulation with an on-prem appliance, I believe the command is tecli show remote queue from the Gateway enforcing the TE policy.

 

Can you expand the Threat Emulation dropdown from the 1st screen shot and show us how TE is configured in this policy?

 

R80 CCSA / CCSE
0 Kudos
Filip_Wennerhul
Participant
‎2019-04-25 12:28 AM
In response to Daniel_Taney

TECONF2.PNG

 

This is it. The size is below the time i cant say, but generally when these limits are hit it says so in the log file "maximum size/time limit exceeded".

 

0 Kudos
Duc_Nguyen_Anh
Explorer
‎2020-03-26 08:39 PM
In response to Filip_Wennerhul

Hi there,

Is there any solution for this issue?

Many thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events