cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Detect in Log and Prevent in Report. How can it be?

Hello. I need some help with Threat Emulation. Our customer have a couple of incidents with virus prevention.

A virus file can pass check point with detect in logs:

Matched Rules:

Rules:

Severity - Critical, Confidence Level - High. Threat Prevention profile:

At the same time if we open summury report we see Prevent:

What is wrong? Antivirus does not blok this file too.

Tags (3)
8 Replies

Re: Detect in Log and Prevent in Report. How can it be?

Just with a quick glance - Threat prevention profile shows "Standard" and next screenshot profile name is different

0 Kudos

Re: Detect in Log and Prevent in Report. How can it be?

Sorry for that, it's just an example. I have not an original screenshots (just for now). 

0 Kudos
Danny
Pearl

Re: Detect in Log and Prevent in Report. How can it be?

It's all in the details. Actual screenshots showing your real sypmtoms will allow us to help you. Please replace the examples above with your real screenshots.

Re: Detect in Log and Prevent in Report. How can it be?

I have updated screenshots

0 Kudos
Admin
Admin

Re: Detect in Log and Prevent in Report. How can it be?

Did the end user in question actually receive the document?

Re: Detect in Log and Prevent in Report. How can it be?

Yes. Local antivirus detect it in received email.

Actually I have noticed that our other customer has the same problem. 

Admin
Admin

Re: Detect in Log and Prevent in Report. How can it be?

I could see the Forensics piece saying prevent if AV ultimately caught it (even if TE didn’t).

A TAC case is probably warranted here.

0 Kudos

Re: Detect in Log and Prevent in Report. How can it be?

Yes, I have created TAC case. They are going to organize remote session. I'll share the answer after.