cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Eric_Lindsey1
Eric_Lindsey1 inside SandBlast Network yesterday
views 67 1

MTA email data missing from logging

We are using our checkpoint appliance as an MTA. External email is directed to checkpoint and then to our internal email servers. We are also threat emulating attachments. If an email comes into the system and passes through checkpoint with no attachment we do not see any of the email data in the smartlog. If the email has an attachment and threat emulation emulates the file we see the subject, sender, receipient in smartlog. Is there any reason the normal email just passing through the appliance does not show in smartlog?
Andy_Nicholson
inside SandBlast Network 2 weeks ago
views 39
Employee

Demonstration of Threat Prevention API on a local SandBlast / Threat Emulation Appliance

I have set up a lab to demonstrate the use of the API to pass files to an on-premise SandBlast Threat Emulation Appliance for scanning for zero-day threats. This allows organistations to have almost any part of their infrastructure refer files to SandBlast. We have seen several use cases, but the most common is a web infrastructure that accepts files from external users and passes them into a workflow system in the organistation's infrastructure. Customer wants to open a new account, and must provide proof of ID or other supporting document Customer has opened an insurance claim and must provide evidence of damage These files can be accepted by the web appication server from the customer, then checked for threats before passing on to the organistation's internal workflow system. The web infrastructure will receive a verdict from Check Point SandBlast and can then decide what to do, depending on the organisation's needs. The demonstration is created in a lab environment, which is documented in the video and the attached pdf file. The script used in the lab was created by Thomas Werner, and is available and documented here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Using-SandBlast-API-from-commandline/m-p/40312 Video of the demo with walk-through and explanation: LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-oxcXNkaTE6zeJmd1W38Ld_KO0pqa0rVZw1600h900r984', 'oxcXNkaTE6zeJmd1W38Ld_KO0pqa0rVZ', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Network 2 weeks ago
views 35 1

User is using a lot of CPU issue

Hello,CP5400 appliance's CPU usage is about 100 % percent. By the picture, User is using cpu more than 90 %, I don't understand why is user spending too much CPU,
Nick_Doropoulos
Nick_Doropoulos inside SandBlast Network 3 weeks ago
views 473 1

Threat emulation cache same thing as database?

Just one question:Is the threat emulation cache and the database that the TE-enabled GW compares an incoming file's hash against the one and the same thing?Many thanks in advance.
samtech4u
samtech4u inside SandBlast Network 3 weeks ago
views 337 1

Threat Prevent Malware Hash Value

Hi,may I know how to get the threat hash value from checkpoint R77.30 which is detected by Threat prevention.logs only show the .eml file packet capture file?
Dan_Roddy
Dan_Roddy inside SandBlast Network 3 weeks ago
views 351 3

Threat Extraction results benign and file is empty.

We have a problem with downloading files (pdf, xls and csv) that have been evaluated for threats by TE cloud, results are benign and the files saved are empty - zero bytes. Trying to get my case worked on by TAC but they say no one is available. What has consumed all support?
Peter_Baumann
Peter_Baumann inside SandBlast Network 3 weeks ago
views 927 2

MTA NDR with "-oi" as sender

Hi all,At a customer we have setup the following configuration according to this:ATRG: Mail Transfer Agent (MTA)https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109699Since we check the logs for error messages we sometimes see the following when the MTA is sending "None delivery messages" (NDR):Jul 22 13:47:04 2019 fwvsx01 postfix/pickup[30252]: 45sfwS1bk8z5x1D: uid=0 from= Jul 22 13:47:04 2019 fwvsx01 postfix/cleanup[13678]: 45sfwS1bk8z5x1D: message-id=<45sfwS1bk8z5x1D@fwvsx01.domain.com> Jul 22 13:47:04 2019 fwvsx01 postfix/qmgr[8456]: 45sfwS1bk8z5x1D: from=, size=283, nrcpt=2 (queue active) Jul 22 13:47:04 2019 fwvsx01 postfix/error[4397]: 45sfwS1bk8z5x1D: to=<-oi@fwvsx01.domain.com>, orig_to=<-oi>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.3, status=bounced (bad address syntax) Jul 22 13:47:04 2019 fwvsx01 postfix/smtp[13664]: 45sfwS1bk8z5x1D: to=, relay=1.3.2.3[1.3.2.3]:25, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 389501CC2D) Jul 22 13:47:04 2019 fwvsx01 postfix/bounce[4398]: 45sfwS1bk8z5x1D: sender non-delivery notification: 45sfwS1kG7z5x1F Jul 22 13:47:04 2019 fwvsx01 postfix/qmgr[8456]: 45sfwS1bk8z5x1D: removedThe relevant part of the log above is the following:Jul 22 13:47:04 2019 fwvsx01 postfix/error[4397]: 45sfwS1bk8z5x1D: to=<-oi@fwvsx01.domain.com>, orig_to=<-oi>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.3, status=bounced (bad address syntax)I figured out that the parameter "-oi" is used in the postfix sendmail binary:http://www.postfix.org/sendmail.1.html -oi When reading a message from standard input, don't treat a line with only a . character as the end of input.So it seems for me that some script is running wrong. Does someone of you have also seen this?Is there any fix for this problem?Thanks,Peter
GGiorgakis
GGiorgakis inside SandBlast Network a month ago
views 585 1

Thread Emulation block email as a malicious but we need to release it (false positive)?

Is there any way to release an email which was blocked by TE?
Alessandro_Marr
Alessandro_Marr inside SandBlast Network 2019-07-22
views 2217 7 3

ICAP client on R80.20 and 3rd DLP Server Symantec

Hello all, anyone could share a configuration example about using R80.20 as a client ICAP for a Web Prevent Symantec DLP Server?when I Trying the gateway doesn´t understand a message to block came from DLP server.Thanks. Regards.
Leonardo_Ferrei
Leonardo_Ferrei inside SandBlast Network 2019-07-19
views 1559 7 2

Problem to download large files when Sandblast Appliance is set as ICAP Server

Hello Guys,We set the Sandblast Appliance as ICAP Server for a Fortigate gateway. The traffic is redirected as expected and the sandblast appliance is doing its job, except by large files (I've noticed files bigger than 400MB)The users are unable to download any file bigger than 4000MB when the ICAP server is set. If I stop the icap process from sandblast appliance they are able to download their files.Did anyone get the same problem?SANDBLAST APPLIANCE = R80.20 Jumbo Take 47MAXIMUM FILE SIZE FOR EMULATION = 15000KB (default)ALL CONFIGURATION SET TO FAIL OPENTHE USERS GET A BROWSER MESSAGE = An ICAP error was encountered while handling the request.Best regards,Leonardo Santos
GGiorgakis
GGiorgakis inside SandBlast Network 2019-07-11
views 212 1

Migrating R77.30 standalone to new management server distributed R80.20

What is the best practice to migrate an R77.30 standalone into a distributed R80.20 enviroment?
Robert_Mueller
Robert_Mueller inside SandBlast Network 2019-07-09
views 9842 5 12

Block specific File extention

Hi,Is there a way to block specific file extentions? I my case iqy and slk files. I know that they are supported in the newest Engine but how can I block them? I can't specify them in the SmartConsole and I've tried to block them with the "prohibited file types" (tecli command) but it wont work...I wan to block all files with that extentions when they arrive via Mail...BrRobert
GGiorgakis
GGiorgakis inside SandBlast Network 2019-07-05
views 1491 6

Thread Emulation - Manual Test emulation

I am looking for a procedure to manual emulate a file on thread emulation r77.30 to test a file?
Chinmaya_Naik
Chinmaya_Naik inside SandBlast Network 2019-07-03
views 507 6

MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

OS : R80.20 both Gateway and Management Server and also TE.TE Engine Version : 58.990000298 HotFix : R80.20 Jumbo Hotfix Take_33MTA : R80_20_mta Take 27BLADE: Threat Emulation | Threat Extraction | Antivirus | AntiBot | IPS We configure Gateway as a MTA.We using both Threat Emulation and Threat Extraction only for SMTP traffic.I did some testing and find below results.Scenario1 : When we put malicious URL on mail body.Results: Malicious URL was totally removed.Scenario2 : When we put malicious URL on Mail Subject.Results : Malicious URL was modified but not totally removed.Scenario3 : When we put malicious URL on Mail Subject and also in Mail Body.Results : Malicious URL was modified on Subject but not in the mail body , still the malicious URL in mail body showing as is it.Scenario4 : For example I put genuine URL on Mail subject like "www.google.com" and put malicious URL in Mail body.Results: Malicious URL was removed from Mail Body and no changes on Mail Subject.QUERY : If I put the same malicious URL in a attachment then :Is this malicious URL is totally we able to removed in attachment ?Is this only remove the hyper link in attachment ?Is this possible to modified the malicious URL in attachment ?Also Scenario5: If I send a malicious URL with out "https or http" then URL is not able to detect.So is URL reputation is only check if URL is in started from http or https only.@Chinmaya_Naik
Shahar_Grober
Shahar_Grober inside SandBlast Network 2019-06-28
views 1368 5 8

SandBlast PoC Guide

Hi, can anyone point where is the latest version of the Excellent SandBlast PoC guide? I have Version 9.1 but it is a little bit outdated and doesn't include R80.10/20 features and updates.In Addition, I would like to do a basic test of TE functionality "Unknown 300" style.Can anyone recommend how to get the unknown malicious samples or how do I create them? Thanks Shahar