Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Detect in Log and Prevent in Report. How can it be?

Hello. I need some help with Threat Emulation. Our customer have a couple of incidents with virus prevention.

A virus file can pass check point with detect in logs:

Matched Rules:

Rules:

Severity - Critical, Confidence Level - High. Threat Prevention profile:

At the same time if we open summury report we see Prevent:

What is wrong? Antivirus does not blok this file too.

Tags (3)
8 Replies
Highlighted

Just with a quick glance - Threat prevention profile shows "Standard" and next screenshot profile name is different

0 Kudos
Highlighted

Sorry for that, it's just an example. I have not an original screenshots (just for now). 

0 Kudos
Highlighted
Pearl

It's all in the details. Actual screenshots showing your real sypmtoms will allow us to help you. Please replace the examples above with your real screenshots.

Highlighted

I have updated screenshots

0 Kudos
Highlighted
Admin
Admin

Did the end user in question actually receive the document?

Highlighted

Yes. Local antivirus detect it in received email.

Actually I have noticed that our other customer has the same problem. 

Admin
Admin

I could see the Forensics piece saying prevent if AV ultimately caught it (even if TE didn’t).

A TAC case is probably warranted here.

0 Kudos
Highlighted

Yes, I have created TAC case. They are going to organize remote session. I'll share the answer after.