This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andre_K
Contributor
Contributor
‎2017-10-03 06:29 AM

Embedded Office.com links in .PDF's

Hi all, I noticed that the Sandblast marks particulair.pdf files with an embedded link from Microsoft (in this case a custom created Office form via https://forms.office.com) as a malicious C&C site.  This is defiantly a false positive. Anyone experienced the same?. Of course I can follow sk118875 and submit this false positive for review by Check Point support but this is quite a hassle due to privacy rights and sharing customer data etc. Any suggestions are welcome.

0 Kudos
2 Replies
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2017-10-04 05:33 AM

Hi Andre,

you can control this feature via:

[Expert@Gateway:0]# tecli advanced analyzer
Command: root->advanced->analyzer

Available options:
 show - display analyzer attributes values
 enable - enable or disable analyzer investigator
 max_embedded_files_limit - Set maximum embedded files limit
 max_embedded_links_limit - Set maximum embedded links limit
 prohibited - prohibited objects menu

[Expert@Gateway:0]# tecli advanced analyzer show
 File Analyzer: ON
 Maximum embedded files limit: 10
 Maximum embedded links limit: 20
 Block encrypted documents: OFF
 Block documents that contain sensitive links (links to local or network path): OFF
 Block documents that contain macros and code: OFF
 Block documents with embedded word file type: OFF
 Block documents with embedded excel file type: OFF
 Block documents with embedded power point file type: OFF
 Block documents with embedded executable file type: OFF
 Block documents with embedded zip file type: OFF
 Block documents with embedded flash file type: OFF
 Block documents with embedded pdf file type: OFF
 Block documents with embedded js file type: OFF

Reporting possible FPs to Check Point is valuable because it remediates also possible future FPs.

In many cases we can change "Detection rules" which is not simple file hash whitelisting. In such cases multiple FPs will be gone in a single effort if the behavioral detection behind the FP is the same. Detection rules are updated automatically.

Always remember that during opening a FP case we will check if the file is really malicious. There were cases in the past that first looked like a FP but during analysts investigation were proofed to be malicious.

Regards Thomas

0 Kudos
Andre_K
Contributor
Contributor
‎2017-10-04 05:43 AM
In response to Thomas_Werner

Hi Thomas, thank you for your reply. I am familiar with the analyzer but in this case it seems like the TE marks this particular link as malicious, it’s not an embedded file within the PDF.  I will might indeed consider submitting this possible FP to support for review. Thanks again!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events