- Local User Groups
TechTalk Deep Dive
CloudGuard Deployment for AWS
Acquired SASE technology!
Check Point Redefines Secure Remote Access
Check Point Product Roadmap
Check Point for Beginners
How To Secure Your Remote Workforce
8-Part Video Guide for Security Admins
Review Check Point,
Win Apple AirPods!
What Infinity SOC Can Do For You
Customer was able to send the attached file through sandblast with AV/TE/TEX enabled ...
if the file is renamed to .7z - it turns to be a password-protected archive (passwd: TestCase02) with vbs script ...
What have we done wrong ?
Note: I have removed the attachment to the original post.
vbs files are only emulated when received via email (i.e. when SandBlast is configured as an MTA).
When they are received via HTTP/HTTPS, they are not emulated.
This is documented here: File types supported by SandBlast Threat Emulation
If the original file was an archive (I can´t see it from your post only) it is currently not supported with TX hence your "Encrypted content block" TX feature does not apply. Archive support for TX is on the roadmap.
That said if received via email it should have been emulated and catched by TE as Daemon already mentioned.
If this was not the case please open a support ticket with your information.
Can you clarify the rename to .7z remark in your question. Were you using another extension on the file and was that sufficient to bypass TE/TEX?
Please think of us of people who know nothing about your setup (which is true) and describe the steps to reproduce this exactly.