cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee

Demonstration of Threat Prevention API on a local SandBlast / Threat Emulation Appliance

To be updated soon, This post will have a video and other documentation, but they should have the URL in them, so creating the post first.
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Network Monday
views 32 1

User is using a lot of CPU issue

Hello,CP5400 appliance's CPU usage is about 100 % percent. By the picture, User is using cpu more than 90 %, I don't understand why is user spending too much CPU,
Nick_Doropoulos
Nick_Doropoulos inside SandBlast Network 2 weeks ago
views 470 1

Threat emulation cache same thing as database?

Just one question:Is the threat emulation cache and the database that the TE-enabled GW compares an incoming file's hash against the one and the same thing?Many thanks in advance.
samtech4u
samtech4u inside SandBlast Network 2 weeks ago
views 336 1

Threat Prevent Malware Hash Value

Hi,may I know how to get the threat hash value from checkpoint R77.30 which is detected by Threat prevention.logs only show the .eml file packet capture file?
Dan_Roddy
Dan_Roddy inside SandBlast Network 2 weeks ago
views 347 3

Threat Extraction results benign and file is empty.

We have a problem with downloading files (pdf, xls and csv) that have been evaluated for threats by TE cloud, results are benign and the files saved are empty - zero bytes. Trying to get my case worked on by TAC but they say no one is available. What has consumed all support?
Peter_Baumann
Peter_Baumann inside SandBlast Network 3 weeks ago
views 923 2

MTA NDR with "-oi" as sender

Hi all,At a customer we have setup the following configuration according to this:ATRG: Mail Transfer Agent (MTA)https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109699Since we check the logs for error messages we sometimes see the following when the MTA is sending "None delivery messages" (NDR):Jul 22 13:47:04 2019 fwvsx01 postfix/pickup[30252]: 45sfwS1bk8z5x1D: uid=0 from= Jul 22 13:47:04 2019 fwvsx01 postfix/cleanup[13678]: 45sfwS1bk8z5x1D: message-id=<45sfwS1bk8z5x1D@fwvsx01.domain.com> Jul 22 13:47:04 2019 fwvsx01 postfix/qmgr[8456]: 45sfwS1bk8z5x1D: from=, size=283, nrcpt=2 (queue active) Jul 22 13:47:04 2019 fwvsx01 postfix/error[4397]: 45sfwS1bk8z5x1D: to=<-oi@fwvsx01.domain.com>, orig_to=<-oi>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.3, status=bounced (bad address syntax) Jul 22 13:47:04 2019 fwvsx01 postfix/smtp[13664]: 45sfwS1bk8z5x1D: to=, relay=1.3.2.3[1.3.2.3]:25, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 389501CC2D) Jul 22 13:47:04 2019 fwvsx01 postfix/bounce[4398]: 45sfwS1bk8z5x1D: sender non-delivery notification: 45sfwS1kG7z5x1F Jul 22 13:47:04 2019 fwvsx01 postfix/qmgr[8456]: 45sfwS1bk8z5x1D: removedThe relevant part of the log above is the following:Jul 22 13:47:04 2019 fwvsx01 postfix/error[4397]: 45sfwS1bk8z5x1D: to=<-oi@fwvsx01.domain.com>, orig_to=<-oi>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.3, status=bounced (bad address syntax)I figured out that the parameter "-oi" is used in the postfix sendmail binary:http://www.postfix.org/sendmail.1.html -oi When reading a message from standard input, don't treat a line with only a . character as the end of input.So it seems for me that some script is running wrong. Does someone of you have also seen this?Is there any fix for this problem?Thanks,Peter
GGiorgakis
GGiorgakis inside SandBlast Network 3 weeks ago
views 579 1

Thread Emulation block email as a malicious but we need to release it (false positive)?

Is there any way to release an email which was blocked by TE?
Alessandro_Marr
Alessandro_Marr inside SandBlast Network 4 weeks ago
views 2202 7 2

ICAP client on R80.20 and 3rd DLP Server Symantec

Hello all, anyone could share a configuration example about using R80.20 as a client ICAP for a Web Prevent Symantec DLP Server?when I Trying the gateway doesn´t understand a message to block came from DLP server.Thanks. Regards.
Leonardo_Ferrei
Leonardo_Ferrei inside SandBlast Network a month ago
views 1552 7 2

Problem to download large files when Sandblast Appliance is set as ICAP Server

Hello Guys,We set the Sandblast Appliance as ICAP Server for a Fortigate gateway. The traffic is redirected as expected and the sandblast appliance is doing its job, except by large files (I've noticed files bigger than 400MB)The users are unable to download any file bigger than 4000MB when the ICAP server is set. If I stop the icap process from sandblast appliance they are able to download their files.Did anyone get the same problem?SANDBLAST APPLIANCE = R80.20 Jumbo Take 47MAXIMUM FILE SIZE FOR EMULATION = 15000KB (default)ALL CONFIGURATION SET TO FAIL OPENTHE USERS GET A BROWSER MESSAGE = An ICAP error was encountered while handling the request.Best regards,Leonardo Santos
GGiorgakis
GGiorgakis inside SandBlast Network 2019-07-11
views 212 1

Migrating R77.30 standalone to new management server distributed R80.20

What is the best practice to migrate an R77.30 standalone into a distributed R80.20 enviroment?
Robert_Mueller
Robert_Mueller inside SandBlast Network 2019-07-09
views 9798 5 12

Block specific File extention

Hi,Is there a way to block specific file extentions? I my case iqy and slk files. I know that they are supported in the newest Engine but how can I block them? I can't specify them in the SmartConsole and I've tried to block them with the "prohibited file types" (tecli command) but it wont work...I wan to block all files with that extentions when they arrive via Mail...BrRobert
GGiorgakis
GGiorgakis inside SandBlast Network 2019-07-05
views 1476 6

Thread Emulation - Manual Test emulation

I am looking for a procedure to manual emulate a file on thread emulation r77.30 to test a file?
Chinmaya_Naik
Chinmaya_Naik inside SandBlast Network 2019-07-03
views 502 6

MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

OS : R80.20 both Gateway and Management Server and also TE.TE Engine Version : 58.990000298 HotFix : R80.20 Jumbo Hotfix Take_33MTA : R80_20_mta Take 27BLADE: Threat Emulation | Threat Extraction | Antivirus | AntiBot | IPS We configure Gateway as a MTA.We using both Threat Emulation and Threat Extraction only for SMTP traffic.I did some testing and find below results.Scenario1 : When we put malicious URL on mail body.Results: Malicious URL was totally removed.Scenario2 : When we put malicious URL on Mail Subject.Results : Malicious URL was modified but not totally removed.Scenario3 : When we put malicious URL on Mail Subject and also in Mail Body.Results : Malicious URL was modified on Subject but not in the mail body , still the malicious URL in mail body showing as is it.Scenario4 : For example I put genuine URL on Mail subject like "www.google.com" and put malicious URL in Mail body.Results: Malicious URL was removed from Mail Body and no changes on Mail Subject.QUERY : If I put the same malicious URL in a attachment then :Is this malicious URL is totally we able to removed in attachment ?Is this only remove the hyper link in attachment ?Is this possible to modified the malicious URL in attachment ?Also Scenario5: If I send a malicious URL with out "https or http" then URL is not able to detect.So is URL reputation is only check if URL is in started from http or https only.@Chinmaya_Naik
Shahar_Grober
Shahar_Grober inside SandBlast Network 2019-06-28
views 1348 5 8

SandBlast PoC Guide

Hi, can anyone point where is the latest version of the Excellent SandBlast PoC guide? I have Version 9.1 but it is a little bit outdated and doesn't include R80.10/20 features and updates.In Addition, I would like to do a basic test of TE functionality "Unknown 300" style.Can anyone recommend how to get the unknown malicious samples or how do I create them? Thanks Shahar
Nick_Doropoulos
Nick_Doropoulos inside SandBlast Network 2019-06-27
views 673 1

Threat Emulation question

Question:A dedicated, local Threat Emulation appliance goes down for whatever reason. Until it comes back up, does the gateway use ThreatCloud emulation instead? Thanks in advance.