cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
GGiorgakis
GGiorgakis inside SandBlast Network a week ago
views 55 1

Migrating R77.30 standalone to new management server distributed R80.20

What is the best practice to migrate an R77.30 standalone into a distributed R80.20 enviroment?
Robert_Mueller
Robert_Mueller inside SandBlast Network a week ago
views 9461 5 11

Block specific File extention

Hi,Is there a way to block specific file extentions? I my case iqy and slk files. I know that they are supported in the newest Engine but how can I block them? I can't specify them in the SmartConsole and I've tried to block them with the "prohibited file types" (tecli command) but it wont work...I wan to block all files with that extentions when they arrive via Mail...BrRobert
GGiorgakis
GGiorgakis inside SandBlast Network 2 weeks ago
views 146 6

Thread Emulation - Manual Test emulation

I am looking for a procedure to manual emulate a file on thread emulation r77.30 to test a file?
CHINMAYA_NAIK
CHINMAYA_NAIK inside SandBlast Network 2 weeks ago
views 302 6

MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

OS : R80.20 both Gateway and Management Server and also TE.TE Engine Version : 58.990000298 HotFix : R80.20 Jumbo Hotfix Take_33MTA : R80_20_mta Take 27BLADE: Threat Emulation | Threat Extraction | Antivirus | AntiBot | IPS We configure Gateway as a MTA.We using both Threat Emulation and Threat Extraction only for SMTP traffic.I did some testing and find below results.Scenario1 : When we put malicious URL on mail body.Results: Malicious URL was totally removed.Scenario2 : When we put malicious URL on Mail Subject.Results : Malicious URL was modified but not totally removed.Scenario3 : When we put malicious URL on Mail Subject and also in Mail Body.Results : Malicious URL was modified on Subject but not in the mail body , still the malicious URL in mail body showing as is it.Scenario4 : For example I put genuine URL on Mail subject like "www.google.com" and put malicious URL in Mail body.Results: Malicious URL was removed from Mail Body and no changes on Mail Subject.QUERY : If I put the same malicious URL in a attachment then :Is this malicious URL is totally we able to removed in attachment ?Is this only remove the hyper link in attachment ?Is this possible to modified the malicious URL in attachment ?Also Scenario5: If I send a malicious URL with out "https or http" then URL is not able to detect.So is URL reputation is only check if URL is in started from http or https only.@CHINMAYA_NAIK
Shahar_Grober
Shahar_Grober inside SandBlast Network 3 weeks ago
views 965 5 7

SandBlast PoC Guide

Hi, can anyone point where is the latest version of the Excellent SandBlast PoC guide? I have Version 9.1 but it is a little bit outdated and doesn't include R80.10/20 features and updates.In Addition, I would like to do a basic test of TE functionality "Unknown 300" style.Can anyone recommend how to get the unknown malicious samples or how do I create them? Thanks Shahar
Nick_Doropoulos
Nick_Doropoulos inside SandBlast Network 3 weeks ago
views 79 1

Threat Emulation question

Question:A dedicated, local Threat Emulation appliance goes down for whatever reason. Until it comes back up, does the gateway use ThreatCloud emulation instead? Thanks in advance.
Vikas_Arya
Vikas_Arya inside SandBlast Network 3 weeks ago
views 93 1

Best practice sandblast appliance TE 250 x integration in network

Hi, I am going to implement Sandblast appliance TE 250x in my office network. Please suggest how to integrate appliance in network and the best practice of policy configuration for appliance. RegardsVikas Arya
Leonardo_Ferrei
Leonardo_Ferrei inside SandBlast Network 3 weeks ago
views 1261 4 2

Problem to download large files when Sandblast Appliance is set as ICAP Server

Hello Guys,We set the Sandblast Appliance as ICAP Server for a Fortigate gateway. The traffic is redirected as expected and the sandblast appliance is doing its job, except by large files (I've noticed files bigger than 400MB)The users are unable to download any file bigger than 4000MB when the ICAP server is set. If I stop the icap process from sandblast appliance they are able to download their files.Did anyone get the same problem?SANDBLAST APPLIANCE = R80.20 Jumbo Take 47MAXIMUM FILE SIZE FOR EMULATION = 15000KB (default)ALL CONFIGURATION SET TO FAIL OPENTHE USERS GET A BROWSER MESSAGE = An ICAP error was encountered while handling the request.Best regards,Leonardo Santos
6dd15084-b97a-4
6dd15084-b97a-4 inside SandBlast Network 4 weeks ago
views 96 1

threat emulation step by step

I want to config TE device can you expert's help me to manage it properly.
Peter_Elmer
inside SandBlast Network 2019-06-14
views 508 1 8
Employee+

Infinity preventing known and unknown Gen V attacks using email as attack vector

This whitepaper outlines outlines some key elements for the defense against known and unknown GenV attacksavailable in the release R80.30. This version is focused on email as an attack vector and describes the configuration of the MTA functionality.
Wing_Chow
Wing_Chow inside SandBlast Network 2019-06-08
views 433 1

ICAP Server with VIRUS DETECTED: Scan Error

Hi all, I think that you can help me with this type of error when i'm implement a ICAP Server in R80.20..I need to configure with F5 and Sandblast for ICAP HTTP Emulation. I've tried with "sk" and admin guide for Threat Prevention about ICAP Server and all those information can't work fine 😞 This is the Error in the Check Point Devices: VIRUS DETECTED: Scan Error , http client ip: xx.xxx.xxx.xx, http user: -, http url: my.sites.com ICAP Client Configuration F5 BigIP LTMICAP Profile:URI: icap://${SERVER_IP}:${SERVER_PORT}/virus_scanHeaders: X-Client-IP, X-Server-IP, X-Authentication-User How to can i configure a good integration with ICAP Client and Check Point ICAP Server? Thanks!! Regards,
Miguel_Barrios
Miguel_Barrios inside SandBlast Network 2019-05-23
views 1733 3 3

Zero-Day Malicious File get Block but hash put on benign cache in TE

Hello CheckMates!I would like your opinion with the following behavior of Threat Emulation:One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with same hash were allowed (thus, received on mailboxes)!!!!I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.So now we have the following concerns:Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???How Check Point determine the confidence level for security events?Currently we have a case opened with TAC but despite we already sent a lot of information, they could not explain this behavior yet. Has someone experienced the same? I will appreciate your comments
chico
chico inside SandBlast Network 2019-05-23
views 1201 4 1

SMTP Emulation

Hello everybody,I'm new in the checkpoint devices and I have a question about the SandBlast for smtp.Recently checkpoint blocked an attachment to a customer document. It was a word (.doc) document and after looking the logs I can see that the document was bloqued to protection name "Exploited doc document"If I look the forensic details I can see that the vulnerable operating systems was for (as shown on the attachement file)-Win7-WinXPSo if I use a Windows 10 operating syseme, can I dowload the document serently ?Regards,
Fedor_Agafonov1
Fedor_Agafonov1 inside SandBlast Network 2019-05-23
views 1984 7

Threat Emulation Terminating VM due to error: failed to start tap interface

Hi,After update image on sandblast appliance T250 gaia R80.20, VM not start. Error: Terminating VM due to error: failed to start tap interfaceEmulator log:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '10b4a9c6-e414-425c-ae8b-fe4dd7b25244', Run: 1, Priority: normal (0 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', Run: 1, Priority: normal (1 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '5e5de275-a103-4f67-b55b-47532918fa59', Run: 1, Priority: normal (2 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '5e5de275-a103-4f67-b55b-47532918fa59HPS', Run: 1, Priority: normal (3 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 12 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 12 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '3ff3ddae-e7fd-4969-818c-d5f1a2be336d' (Win7 64b,Office 2010,Adobe 11) by: 1, reason: Failed to create VM for Win7 64b,Office 2010,Adobe 11[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 13 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 13 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59' (Win7,Office 2013,Adobe 11) by: 1, reason: Failed to create VM for Win7,Office 2013,Adobe 11[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59HPS' () by: 40, reason:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: creation. is_hps=1[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 14 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 14 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59HPS' () by: 1, reason: Failed to create VM for[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59' (Win7,Office 2013,Adobe 11) by: 40, reason:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 15 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 15 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '10b4a9c6-e414-425c-ae8b-fe4dd7b25244' (Win10 64b,Office 2016,Adobe DC) by: 1, reason: Failed to create VM for Win10 64b,Office 2016,Adobe DC Thanks.
Peter_Elmer
inside SandBlast Network 2019-05-22
views 1735 1 2
Employee+

Improved User Experience For Zero-Day Attack Prevention in R80.30

In R80.30 the user experience when downloading a file in a browser window while the gateway performs Zero-Day attack prevention has improved. You now see a status bar showing the download progress. This video shows the R80.30 gateways configuration and the user experience. Learn how to configure the gateway working in hold mode providing prevention for known and unknown attacks. LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-o0YTd1aDE6G7eCLYB_pOASJikL6y1hXZw1600h817r148', 'o0YTd1aDE6G7eCLYB_pOASJikL6y1hXZ', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"817px"});(view in My Videos)