Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Evgeniy_Olkov
Collaborator
Collaborator

Detect in Log and Prevent in Report. How can it be?

Hello. I need some help with Threat Emulation. Our customer have a couple of incidents with virus prevention.

A virus file can pass check point with detect in logs:

Matched Rules:

Rules:

Severity - Critical, Confidence Level - High. Threat Prevention profile:

At the same time if we open summury report we see Prevent:

What is wrong? Antivirus does not blok this file too.

8 Replies
Kaspars_Zibarts
Employee Employee
Employee

Just with a quick glance - Threat prevention profile shows "Standard" and next screenshot profile name is different

0 Kudos
Evgeniy_Olkov
Collaborator
Collaborator

Sorry for that, it's just an example. I have not an original screenshots (just for now). 

0 Kudos
Danny
Champion Champion
Champion

It's all in the details. Actual screenshots showing your real sypmtoms will allow us to help you. Please replace the examples above with your real screenshots.

Evgeniy_Olkov
Collaborator
Collaborator

I have updated screenshots

0 Kudos
PhoneBoy
Admin
Admin

Did the end user in question actually receive the document?

Evgeniy_Olkov
Collaborator
Collaborator

Yes. Local antivirus detect it in received email.

Actually I have noticed that our other customer has the same problem. 

PhoneBoy
Admin
Admin

I could see the Forensics piece saying prevent if AV ultimately caught it (even if TE didn’t).

A TAC case is probably warranted here.

0 Kudos
Evgeniy_Olkov
Collaborator
Collaborator

Yes, I have created TAC case. They are going to organize remote session. I'll share the answer after.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events