Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Block Malicious Unknown File type attachment (MTA) (TE) (R80.20)

Setup

MGMT Server : Open Server

Security Gateway : 15600

TE Appliance

MTA : Enabled

Requirement Our requirement is that Threat Emulation or Antivirus should drop the mail if any other or unknown extension is attach in the mail. (Currently Checkpoint TE and AV blade support more than 90 file type [AV] and 65 file type by [TE] )

Seanario1 :  Our case we change the extension of malicious file to any known extension as listed on above and send a mail and here AV is able to block the mail.

Seanario2 : Suppose I change the  extension to any other or unknown extension of that malicious file then here AV is not able to block that mail. 

Example : File Name : samples.tar (malicious file)

INTERNET ---->  MAIL (samples.tar mail attatchment ) ----->  BLOCK by TE

INTERNET ---->  MAIL (samples.tar.pdf mail attatchment ) ----->  BLOCK by TE  (just changing the extension)

INTERNET ---->  MAIL (samples.tar.mht mail attatchment ) ----->  Allow and not able to find any log  (just changing the extension)

INTERNET ---->  MAIL (samples.tar.der mail attatchment ) ----->  Allow and not able to find any log 

NOTE : We update the TE engine to version  58.990000298. (sk92509)

Installed latest jumbo Take_33  with MTA take_24.

As per the sk121097 (Last update on 25-Oct-2017 )

Threat Emulation is not scanning files if their extension was changed to unsupported file type is an expected behavior.

# Chinmaya Naik

9 Replies
Highlighted
Admin
Admin

You realize there's an option to scan all file types with AV, right?

I'm not aware of an option to block all "unknown" extension types.

Highlighted

Hiii Dameon Welch-Abernathy‌ thanks for the suggestion.

Still we unable to block after enabling Process all file types option also.

As I can see .iso extension is not even on the list also but its block by TE but when I change the extension to .der or .mht then its allow the file to download.

Any workaround for this issue. 

Thanks in Advance 

#Chinmaya Naik

0 Kudos
Reply
Highlighted
Admin
Admin

Offhand don't know, but will ask around Smiley Happy

0 Kudos
Reply
Highlighted
Admin
Admin

Hi, a little late, I realize, but it seems there is an option in the Threat Prevention profile to deal with unknown extensions:

image001.png

0 Kudos
Reply
Highlighted

As I can see .iso file type is not supported on AV but TE is supported so that file type (.iso) block by TE but when I change the extension to .der or .mht then its allow the file to download because that two file type is not supported by TE and AV. 

As per the sk123140 (How to configure Threat Emulation blade to block files according to file types) but as per our requirement is to block unknown filetype that not listed on AV and TE.

Thanks in Advance 

Hiii Dameon Welch-Abernathy can we move this question to sandblast section?

#Chinmaya Naik

0 Kudos
Reply
Highlighted
Admin
Admin

Done.

Still checking with R&D Smiley Happy

0 Kudos
Reply
Highlighted

Thanks Dameon Welch-Abernathy‌    

Waiting for your response.

#Chinmaya Naik

0 Kudos
Reply
Highlighted
Participant

Hello,

 

is there an update to this issue?

Especially the mht files.

It seems that the Sandbox mht files does not recognize as files. That means blocking all unknown files does not work since the file is not detected.

Regards,

Klaas

 

0 Kudos
Reply
Highlighted
Admin
Admin

The sandbox cannot emulate "unknown" file types but AV should block them if so configured.
If you've configure AV and the Threat Prevention profile as pictured above and it is still getting through, please open a TAC ticket.
0 Kudos
Reply