cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Zero-Day Malicious File get Block but hash put on benign cache in TE

Hello CheckMates!

I would like your opinion with the following behavior of Threat Emulation:

One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with same hash were allowed (thus, received on mailboxes)!!!!

I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:
image_2019_04_25T22_14_06_329Z.png

As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)

We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.

So now we have the following concerns:

  1. Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???
  2. How Check Point determine the confidence level for security events?

Currently we have a case opened with TAC but despite we already sent a lot of information, they could not explain this behavior yet.

 

Has someone experienced the same? I will appreciate your comments

3 Replies
Admin
Admin

Re: Zer-Day Malicious File get Block but hash put on benign cache in TE

Perhaps it's a bug in the TE engine that we need to investigate.
Can you tell me in a PM what the TAC SR is for this case?

Re: Zer-Day Malicious File get Block but hash put on benign cache in TE

TAC SR shared in a PM, thank you for your answer and Help!
0 Kudos
Highlighted

Re: Zer-Day Malicious File get Block but hash put on benign cache in TE

Today we experience the same issue with identical behavor:

  • The zero-day file (arrived via email - MTA) is prevented but there is NO emulation report.
  • File has HIGH severity but confidence level N/A
  • The file hash is placed in the benign cache without any apparent explanation

benign_cache-230519.jpg

Has anyone experienced something similar??? definitely this is not an expected behavior.

On the other hand, someone has an idea of how Check Point determines a Confidence level N/A???