cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

MTA AV Exceptions

Hi, AV in MTA is blocking one of our emails coming from a trusted source This is a False positive. The only option I see to exclude the sender Mail Adress is in IPS profile --> Threat Emulation --> Excluded Mail Adresses. Is there a way to exlude Emails from MTA scanning until the issue is resolved with the AV?
0 Kudos
6 Replies
Admin
Admin

Re: MTA AV Exceptions

Seems to me you could create a modified Threat Prevention policy to do this, where traffic coming from your partners SMTP server doesn't have AV applied…
0 Kudos

Re: MTA AV Exceptions

The problem is that the traffic is incoming from the mail relay The AV MTA doesn't have a way to exclude email addresses (in opposite to TE MTA) According to TAC I have to use indicators to exclude it from Threat Prevention policy but this makes everything more complicated since I cannot only exclude the trusted sender email address
0 Kudos
Admin
Admin

Re: MTA AV Exceptions

That's why I suggested using the IP address of the SMTP server (assuming they're coming from the same IP).
0 Kudos

Re: MTA AV Exceptions

This is not possible because the IP address is of the mail relay External SMTP Mail server --> Mail Realy --> Check Point MTA --> Exchange The MTA sees only the mail relay so I cannot exclude the mail of the external SMTP server because the source is the mail relay

Re: MTA AV Exceptions

Hi @Shahar_Grober, Im experiencing the same situation with a client (AV MTA with false positive).
were you able to solve this??? I would greatly appreciate your comments
0 Kudos

Re: MTA AV Exceptions

Hi Miguel,

the easiest way is to use IOC Indicators exceptions (mark them as inactive)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)


documentation is not the greatest but you need to build a csv file in the following format

# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT
Indicator_bypsass https://abcd.com URL low low AV bypass1