cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Peter_Elmer
inside SandBlast Network Friday
views 413 1 7
Employee

Infinity preventing known and unknown Gen V attacks using email as attack vector

This whitepaper outlines outlines some key elements for the defense against known and unknown GenV attacksavailable in the release R80.30. This version is focused on email as an attack vector and describes the configuration of the MTA functionality.
Shahar_Grober
Shahar_Grober inside SandBlast Network a week ago
views 781 4 7

SandBlast PoC Guide

Hi, can anyone point where is the latest version of the Excellent SandBlast PoC guide? I have Version 9.1 but it is a little bit outdated and doesn't include R80.10/20 features and updates.In Addition, I would like to do a basic test of TE functionality "Unknown 300" style.Can anyone recommend how to get the unknown malicious samples or how do I create them? Thanks Shahar
Wing_Chow
Wing_Chow inside SandBlast Network 2 weeks ago
views 385 1

ICAP Server with VIRUS DETECTED: Scan Error

Hi all, I think that you can help me with this type of error when i'm implement a ICAP Server in R80.20..I need to configure with F5 and Sandblast for ICAP HTTP Emulation. I've tried with "sk" and admin guide for Threat Prevention about ICAP Server and all those information can't work fine 😞 This is the Error in the Check Point Devices: VIRUS DETECTED: Scan Error , http client ip: xx.xxx.xxx.xx, http user: -, http url: my.sites.com ICAP Client Configuration F5 BigIP LTMICAP Profile:URI: icap://${SERVER_IP}:${SERVER_PORT}/virus_scanHeaders: X-Client-IP, X-Server-IP, X-Authentication-User How to can i configure a good integration with ICAP Client and Check Point ICAP Server? Thanks!! Regards,
Miguel_Barrios
Miguel_Barrios inside SandBlast Network 4 weeks ago
views 1655 3 2

Zer-Day Malicious File get Block but hash put on benign cache in TE

Hello CheckMates!I would like your opinion with the following behavior of Threat Emulation:One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with same hash were allowed (thus, received on mailboxes)!!!!I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.So now we have the following concerns:Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???How Check Point determine the confidence level for security events?Currently we have a case opened with TAC but despite we already sent a lot of information, they could not explain this behavior yet. Has someone experienced the same? I will appreciate your comments
chico
chico inside SandBlast Network a month ago
views 1102 4

SMTP Emulation

Hello everybody,I'm new in the checkpoint devices and I have a question about the SandBlast for smtp.Recently checkpoint blocked an attachment to a customer document. It was a word (.doc) document and after looking the logs I can see that the document was bloqued to protection name "Exploited doc document"If I look the forensic details I can see that the vulnerable operating systems was for (as shown on the attachement file)-Win7-WinXPSo if I use a Windows 10 operating syseme, can I dowload the document serently ?Regards,
Fedor_Agafonov1
Fedor_Agafonov1 inside SandBlast Network a month ago
views 1854 7

Threat Emulation Terminating VM due to error: failed to start tap interface

Hi,After update image on sandblast appliance T250 gaia R80.20, VM not start. Error: Terminating VM due to error: failed to start tap interfaceEmulator log:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '10b4a9c6-e414-425c-ae8b-fe4dd7b25244', Run: 1, Priority: normal (0 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', Run: 1, Priority: normal (1 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '5e5de275-a103-4f67-b55b-47532918fa59', Run: 1, Priority: normal (2 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '5e5de275-a103-4f67-b55b-47532918fa59HPS', Run: 1, Priority: normal (3 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 12 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 12 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '3ff3ddae-e7fd-4969-818c-d5f1a2be336d' (Win7 64b,Office 2010,Adobe 11) by: 1, reason: Failed to create VM for Win7 64b,Office 2010,Adobe 11[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 13 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 13 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59' (Win7,Office 2013,Adobe 11) by: 1, reason: Failed to create VM for Win7,Office 2013,Adobe 11[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59HPS' () by: 40, reason:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: creation. is_hps=1[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 14 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 14 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59HPS' () by: 1, reason: Failed to create VM for[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59' (Win7,Office 2013,Adobe 11) by: 40, reason:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 15 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 15 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '10b4a9c6-e414-425c-ae8b-fe4dd7b25244' (Win10 64b,Office 2016,Adobe DC) by: 1, reason: Failed to create VM for Win10 64b,Office 2016,Adobe DC Thanks.
Peter_Elmer
inside SandBlast Network a month ago
views 1243 1 2
Employee

Improved User Experience For Zero-Day Attack Prevention in R80.30

In R80.30 the user experience when downloading a file in a browser window while the gateway performs Zero-Day attack prevention has improved. You now see a status bar showing the download progress. This video shows the R80.30 gateways configuration and the user experience. Learn how to configure the gateway working in hold mode providing prevention for known and unknown attacks. LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-o0YTd1aDE6G7eCLYB_pOASJikL6y1hXZw1600h817r632', 'o0YTd1aDE6G7eCLYB_pOASJikL6y1hXZ', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"817px"});(view in My Videos)
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Network a month ago
views 821 1

I cannot enable Threat emulation blade on TE appliance

Policy installation error.TE appliance is installed on as a gateway. I cannot enable Threat emulation blade on TE appliance. I added TE to Management server.
G_W_Albrecht
G_W_Albrecht inside SandBlast Network 2019-05-17
views 1134 1

Blink Image (Gaia Fast Deployment) for R80.20 GA not supported on Sandblast appliances

I was planning to do a re-install of my TE100X appliance. But in Blink Image (Gaia Fast Deployment) for R80.20 GA Download Details, Sandblast Appliances are not listed under Model. The Upgrade/Download Wizard only lists R77.30 for the TE100X and other Sandblast Threat Emulation appliances (TE250X, TE1000X, TE2000X) - but HW Type Threat Emulation appliances has TE250, TE1000 and TE2000 models that support R80.10, R80.20 and R80.30 ! Now Checkpoint has confirmed that Blink is not supported on Sandblast appliances. The Upgrade/Download Wizard will be updated for R80.10 and R80.20 (?). Strange ! I had used the R80.10 GA version for install...
GabsOliv
GabsOliv inside SandBlast Network 2019-05-13
views 887 2

Any idea for Palo Alto Sample Malware File not deteceted on threat emulation

Hi allWas testing threat emulation on SMB appliance, using competition files."No threats found in file downloaded by 10.10.6.100 from http://wildfire.paloaltonetworks.com/publicapi/test/pe" Any idea How can we explain to the client that a file is malware on the blue vendor, and here is considered benign. Have a nice day
Leonardo_Ferrei
Leonardo_Ferrei inside SandBlast Network 2019-05-10
views 1148 3 1

Problem to download large files when Sandblast Appliance is set as ICAP Server

Hello Guys,We set the Sandblast Appliance as ICAP Server for a Fortigate gateway. The traffic is redirected as expected and the sandblast appliance is doing its job, except by large files (I've noticed files bigger than 400MB)The users are unable to download any file bigger than 4000MB when the ICAP server is set. If I stop the icap process from sandblast appliance they are able to download their files.Did anyone get the same problem?SANDBLAST APPLIANCE = R80.20 Jumbo Take 47MAXIMUM FILE SIZE FOR EMULATION = 15000KB (default)ALL CONFIGURATION SET TO FAIL OPENTHE USERS GET A BROWSER MESSAGE = An ICAP error was encountered while handling the request.Best regards,Leonardo Santos
CHINMAYA_NAIK
CHINMAYA_NAIK inside SandBlast Network 2019-05-09
views 1186 9 1

Block Malicious Unknown File type attachment (MTA) (TE) (R80.20)

SetupMGMT Server : Open ServerSecurity Gateway : 15600TE ApplianceMTA : EnabledRequirement : Our requirement is that Threat Emulation or Antivirus should drop the mail if any other or unknown extension is attach in the mail. (Currently Checkpoint TE and AV blade support more than 90 file type [AV] and 65 file type by [TE] )Seanario1 : Our case we change the extension of malicious file to any known extension as listed on above and send a mail and here AV is able to block the mail.Seanario2 : Suppose I change the extension to any other or unknown extension of that malicious file then here AV is not able to block that mail. Example : File Name : samples.tar (malicious file)INTERNET ----> MAIL (samples.tar mail attatchment ) -----> BLOCK by TEINTERNET ----> MAIL (samples.tar.pdf mail attatchment ) -----> BLOCK by TE (just changing the extension)INTERNET ----> MAIL (samples.tar.mht mail attatchment ) -----> Allow and not able to find any log (just changing the extension)INTERNET ----> MAIL (samples.tar.der mail attatchment ) -----> Allow and not able to find any log NOTE : We update the TE engine to version 58.990000298. (sk92509)Installed latest jumbo Take_33 with MTA take_24.As per the sk121097 (Last update on 25-Oct-2017 )Threat Emulation is not scanning files if their extension was changed to unsupported file type is an expected behavior.# Chinmaya Naik
Thomas_Werner
inside SandBlast Network 2019-05-07
views 2703 2 24
Employee++

McAfee Web Gateway ICAP and Sandblast Appliance (TEX)

Configuring ICAP Server on Check Point Sandblast Appliance (TEX) or Gateway:Enable ICAP server on TEX appliance see SK111306 Use hotfix 286 or higher for R77.30. Enable ICAP ServerStart ICAP server on TEX appliance or gateway:# icap_server start Enable ICAP Logs# tecli advanced remote emulator logs enable <<< Hotfix 286 or higher automatically activates logging. Enable firewall rule to connect ICAP Server (TEX Appliance)Source: McAfee Web GatewayDestination: "ip-address of sandblast appliance"Port: 1344For more infos on the ICAP server please goto: Configuration McAfee ICAP clientNote: The below setup will work in "hold" mode meaning the MWG will wait for the ICAP answer until it provides the file to the end user.Background mode on MWG is a bit more complex to achieve. You can find the below attached ruleset template as a starting point.For a better understanding of background mode you might want to read Solved: McAfee Support Community - Don´t wait for ICAP Server response - McAfee Support Community Under Policy -> Settings -> ICAP Client change both the ReqMod and RespMod defaults (we configure both but you only need RespMod for file downloads and ReqMod for file uploads): Please use URI icap://10.2.1.254:1344/sandblast from now onPlease use URI icap://10.2.1.254:1344/sandblast from now on Under Policy -> Rule Sets check if ICAP Client section is present: If not you can add it via Add -> Rule Set from Library: To edit the imported rule set “Unlock View”: You can disable “ReqMod” is it is not needed to pass downloaded files (only for file uploads): If you want to bypass file downloads e.g. bigger than 1 MB you have to add the following “Skip files greater than 1MB” rule to the RespMod ruleset: Don´t forget to save your changes at the end: This is what you get when trying to download a malicious file detected by TE: Client McAfee Web Gateway Progress page: Expected outcome on malicious file download: When clicking on “here”: The above response is a customizable template found in $FWDIR/c-icap/share/c_icap/templates/virus_scan/en/VIRUS_FOUND.If you experience proxy timeouts like this: Raise the timeout value from default 120sec. to > 300 sec.
Nikko_Malabanan
Nikko_Malabanan inside SandBlast Network 2019-05-05
views 1189 4 1

ClusterXL Requirements

Hi Guys,May I know if the memory/RAM is a criteria for synchronizing members of the clusterXL?I just ask this because I am planning to upgrade the RAM of my production security gateways. My plan is to upgrade the FW02 memory then do a failover and then upgrade now the FW01 memory. My concern is that, once I upgraded and power up the FW02, will it sync to the FW01 since as of that moment both security gateways have now different amount of RAM?Thanks
Kannan_Velraja
inside SandBlast Network 2019-05-03
views 837 2
Employee

block Base 64 encrypted Mails For Phishing Scanning

Hi Team, Please confirm when the Firewall is Configured as MTA and deployed it will block "Base 64 encrypted Mails For Phishing Scanning" Thanks in advance.