Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
Can it be that Check Point Threat Prevention and Sandblast in MTA doesn't scan "*.msg" attachments inside an email?
I did the following tests:
First Test (Baseline)
I sent a malicious .doc file attached to an email via the MTA
Result: email is scanned and find malicious by the Gateway AV which is great!
I took the same malicious doc file and attached it to a message. Then I took the message saved it as a .msg file and attached it to another email so the attachment in the mail is .msg and not .doc file.
Result: when I send the email, it is not scanned by AV or Threat Emulation, file is completly bypassed by AV/TE and arrives at the recipient mailbox with the infected .msg
Is it a configuration issue, a bug or a really simple way to evade Check Point Threat Prevention?
(Mime Nesting is configured on the Threat Prevention profile)
Then include that fact in your question, please ! .msg are just not supported as attachement file types for TE. Looks like a RFE is needed. Refer to sk106123 - File types supported by SandBlast Threat Emulation
Can anyone confirm that AV is not supported with MTA on R80.10?
If This is true then the .msg attachments will not be scanned by the MTA+TE.
This is still basic feature that should be supported by TE
in general the "old" AB blade (which is streaming network traffic inspection BEFORE the MTA) is supported.
That said with R80.20 or R80.10 and latest MTA take we added AV support INSIDE MTA.
Thanks for the confirmation Thomas,
This is a major improvement in R80.20.
Is there a way to test if or confirm with R&D if .msg attachments are scanned by AV in this configuration?
This is an interesting information, but it doesn't address my question.
I just want to know if a simple word doc or pdf attachments are scanned by AV/TE in MTA mode when nested inside a .msg file. this is not related to scrubbing additional file types.
so I learned from our MTA guys that we are already awesome 🙂
Our MTA parses attached .eml and .msg files, extracts and scans links and attachments.
Here a test I did with a GoldenEye ransomware attached to a .eml attached to an email:
I also tested recursive .eml in .eml with GoldenEye attachment successfully:
I'm running TE on a R80.20 gateway (jumbo take 33, MTA take 24).
Content of the EML attachement is extracted and analysed. However, if it is a MSG attachement (with exactly same content), the attachments are not extracted nor analysed
In ted.log in debug mode, nothing about my .MSG tests
Do I miss something ? Could you please confirm that the MTA extracts content from the .MSG attachement ?
If so, I will contact TAC.
How can I see which mta version I have?
According to SK123174 the version should be in $FWDIR/conf/mta_ver but I couldn’t find the file on the gateway
have you installed one of the updated R80.10 MTA takes ?
You should have similar in R80.10 when accessing the GAiA portal on https://<gwip>:
Afterwards you should get a populated $FWDIR/conf/mta_ver.
I see that I have an update on my GW (T25 for R80.10), it wasn't there before I activated the MTA
I have a few questions:
1. Why it is not updated automatically as with the TE engine?
2. Why the MTA is not automatically updated when activating the blade?
2. I guess the MTA update cause downtime? does it requires reboot?
4. is there a way to see the MTA version from tecli?
Thanks for the helpful information!
Thanks again Thomas for the information,
I will update the MTA and test the AV functionality.
I think that TECLI is a great tool and should have some reference to the MTA (postfix) since they are working dependently