This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MikeB
Advisor
‎2019-04-25 03:33 PM

Zero-Day Malicious File get Block but hash put on benign cache in TE

Hello CheckMates!

I would like your opinion with the following behavior of Threat Emulation:

One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with same hash were allowed (thus, received on mailboxes)!!!!

I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:
image_2019_04_25T22_14_06_329Z.png

As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)

We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.

So now we have the following concerns:

  1. Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???
  2. How Check Point determine the confidence level for security events?

Currently we have a case opened with TAC but despite we already sent a lot of information, they could not explain this behavior yet.

 

Has someone experienced the same? I will appreciate your comments

3 Replies
PhoneBoy
Admin
Admin
‎2019-04-25 05:10 PM

Perhaps it's a bug in the TE engine that we need to investigate.
Can you tell me in a PM what the TAC SR is for this case?
MikeB
Advisor
‎2019-04-28 06:25 PM
In response to PhoneBoy

TAC SR shared in a PM, thank you for your answer and Help!
0 Kudos
MikeB
Advisor
‎2019-05-23 01:44 PM

Today we experience the same issue with identical behavor:

  • The zero-day file (arrived via email - MTA) is prevented but there is NO emulation report.
  • File has HIGH severity but confidence level N/A
  • The file hash is placed in the benign cache without any apparent explanation

benign_cache-230519.jpg

Has anyone experienced something similar??? definitely this is not an expected behavior.

On the other hand, someone has an idea of how Check Point determines a Confidence level N/A???

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events