Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

Capsule Cloud Threat Emulation

The following domains deliver files to our client Windows 10 workstations and mobile Surface books that are continuously Emulated despite my efforts to bypass emulation.  I do not consider files that deliver windows updates, checkpoint updates, symantec updates and others to be risky and emulating them is using unnecessary resources of time and licensing.  Has anyone tried to bypass cloud emulation for these domains?

 

Thank you,

 

Dan 

 

 

0 Kudos
4 Replies
Highlighted
Employee++
Employee++

Does the source in the emulation log say "Trusted Source" ?

Some of those "domains" or "services" you mention shouldn't actually result in the file being sent out to the cloud for emulation thanks to a global white list. 

 

0 Kudos
Highlighted
Collaborator

Thanks for the reply Chris, Yes for liveupdate.symantecliveupdate.com does show trusted source and benign verdict. But in this case, the file being emulated is a 7z filetype and all indications are the file is emulated. Also, I have Office templates in .cab files and also windowsupdate .cab (trused source:yes) and all these show 'analyzed_on' Check Point Threat Cloud. Where is the whitelist?
0 Kudos
Highlighted
Collaborator

Another candidate for whitelisting is 'content.ivanti.com'. Ivanti has a patching application and they deliver windows patch files in .zip files. These file are extracted and deliver a benign verdict for every file in the zip. Multiply all these patch file by the number of workstations and you can see why our emulation file count per month is quite high. Can this work as advertised? Won't all these patch files from Microsoft have the same hash value?
0 Kudos
Highlighted
Collaborator

Tell me about this one: EP Antibot downloads a .tar file from secureupdates.checkpoint.com that results in 'detect', reason: file size exceeded size limit, if this is whitelisted then why is the file size limit reached.
0 Kudos