cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Peter_Baumann
Peter_Baumann inside SandBlast Network yesterday
views 49 1

MTA NDR with "-oi" as sender

Hi all,At a customer we have setup the following configuration according to this:ATRG: Mail Transfer Agent (MTA)https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109699Since we check the logs for error messages we sometimes see the following when the MTA is sending "None delivery messages" (NDR):Jul 22 13:47:04 2019 fwvsx01 postfix/pickup[30252]: 45sfwS1bk8z5x1D: uid=0 from= Jul 22 13:47:04 2019 fwvsx01 postfix/cleanup[13678]: 45sfwS1bk8z5x1D: message-id=<45sfwS1bk8z5x1D@fwvsx01.domain.com> Jul 22 13:47:04 2019 fwvsx01 postfix/qmgr[8456]: 45sfwS1bk8z5x1D: from=, size=283, nrcpt=2 (queue active) Jul 22 13:47:04 2019 fwvsx01 postfix/error[4397]: 45sfwS1bk8z5x1D: to=<-oi@fwvsx01.domain.com>, orig_to=<-oi>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.3, status=bounced (bad address syntax) Jul 22 13:47:04 2019 fwvsx01 postfix/smtp[13664]: 45sfwS1bk8z5x1D: to=, relay=1.3.2.3[1.3.2.3]:25, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 389501CC2D) Jul 22 13:47:04 2019 fwvsx01 postfix/bounce[4398]: 45sfwS1bk8z5x1D: sender non-delivery notification: 45sfwS1kG7z5x1F Jul 22 13:47:04 2019 fwvsx01 postfix/qmgr[8456]: 45sfwS1bk8z5x1D: removedThe relevant part of the log above is the following:Jul 22 13:47:04 2019 fwvsx01 postfix/error[4397]: 45sfwS1bk8z5x1D: to=<-oi@fwvsx01.domain.com>, orig_to=<-oi>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.1.3, status=bounced (bad address syntax)I figured out that the parameter "-oi" is used in the postfix sendmail binary:http://www.postfix.org/sendmail.1.html -oi When reading a message from standard input, don't treat a line with only a . character as the end of input.So it seems for me that some script is running wrong. Does someone of you have also seen this?Is there any fix for this problem?Thanks,Peter
Dan_Roddy
Dan_Roddy inside SandBlast Network yesterday
views 27 1

Threat Extraction results benign and file is empty.

We have a problem with downloading files (pdf, xls and csv) that have been evaluated for threats by TE cloud, results are benign and the files saved are empty - zero bytes. Trying to get my case worked on by TAC but they say no one is available. What has consumed all support?
Alessandro_Marr
Alessandro_Marr inside SandBlast Network Monday
views 413 7 2

ICAP client on R80.20 and 3rd DLP Server Symantec

Hello all, anyone could share a configuration example about using R80.20 as a client ICAP for a Web Prevent Symantec DLP Server?when I Trying the gateway doesn´t understand a message to block came from DLP server.Thanks. Regards.
Leonardo_Ferrei
Leonardo_Ferrei inside SandBlast Network Friday
views 1298 7 2

Problem to download large files when Sandblast Appliance is set as ICAP Server

Hello Guys,We set the Sandblast Appliance as ICAP Server for a Fortigate gateway. The traffic is redirected as expected and the sandblast appliance is doing its job, except by large files (I've noticed files bigger than 400MB)The users are unable to download any file bigger than 4000MB when the ICAP server is set. If I stop the icap process from sandblast appliance they are able to download their files.Did anyone get the same problem?SANDBLAST APPLIANCE = R80.20 Jumbo Take 47MAXIMUM FILE SIZE FOR EMULATION = 15000KB (default)ALL CONFIGURATION SET TO FAIL OPENTHE USERS GET A BROWSER MESSAGE = An ICAP error was encountered while handling the request.Best regards,Leonardo Santos
GGiorgakis
GGiorgakis inside SandBlast Network 2 weeks ago
views 56 1

Migrating R77.30 standalone to new management server distributed R80.20

What is the best practice to migrate an R77.30 standalone into a distributed R80.20 enviroment?
Robert_Mueller
Robert_Mueller inside SandBlast Network 2 weeks ago
views 9497 5 12

Block specific File extention

Hi,Is there a way to block specific file extentions? I my case iqy and slk files. I know that they are supported in the newest Engine but how can I block them? I can't specify them in the SmartConsole and I've tried to block them with the "prohibited file types" (tecli command) but it wont work...I wan to block all files with that extentions when they arrive via Mail...BrRobert
GGiorgakis
GGiorgakis inside SandBlast Network 3 weeks ago
views 155 6

Thread Emulation - Manual Test emulation

I am looking for a procedure to manual emulate a file on thread emulation r77.30 to test a file?
CHINMAYA_NAIK
CHINMAYA_NAIK inside SandBlast Network 3 weeks ago
views 315 6

MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

OS : R80.20 both Gateway and Management Server and also TE.TE Engine Version : 58.990000298 HotFix : R80.20 Jumbo Hotfix Take_33MTA : R80_20_mta Take 27BLADE: Threat Emulation | Threat Extraction | Antivirus | AntiBot | IPS We configure Gateway as a MTA.We using both Threat Emulation and Threat Extraction only for SMTP traffic.I did some testing and find below results.Scenario1 : When we put malicious URL on mail body.Results: Malicious URL was totally removed.Scenario2 : When we put malicious URL on Mail Subject.Results : Malicious URL was modified but not totally removed.Scenario3 : When we put malicious URL on Mail Subject and also in Mail Body.Results : Malicious URL was modified on Subject but not in the mail body , still the malicious URL in mail body showing as is it.Scenario4 : For example I put genuine URL on Mail subject like "www.google.com" and put malicious URL in Mail body.Results: Malicious URL was removed from Mail Body and no changes on Mail Subject.QUERY : If I put the same malicious URL in a attachment then :Is this malicious URL is totally we able to removed in attachment ?Is this only remove the hyper link in attachment ?Is this possible to modified the malicious URL in attachment ?Also Scenario5: If I send a malicious URL with out "https or http" then URL is not able to detect.So is URL reputation is only check if URL is in started from http or https only.@CHINMAYA_NAIK
Shahar_Grober
Shahar_Grober inside SandBlast Network 4 weeks ago
views 988 5 8

SandBlast PoC Guide

Hi, can anyone point where is the latest version of the Excellent SandBlast PoC guide? I have Version 9.1 but it is a little bit outdated and doesn't include R80.10/20 features and updates.In Addition, I would like to do a basic test of TE functionality "Unknown 300" style.Can anyone recommend how to get the unknown malicious samples or how do I create them? Thanks Shahar
Nick_Doropoulos
Nick_Doropoulos inside SandBlast Network 4 weeks ago
views 82 1

Threat Emulation question

Question:A dedicated, local Threat Emulation appliance goes down for whatever reason. Until it comes back up, does the gateway use ThreatCloud emulation instead? Thanks in advance.
Vikas_Arya
Vikas_Arya inside SandBlast Network 4 weeks ago
views 96 1

Best practice sandblast appliance TE 250 x integration in network

Hi, I am going to implement Sandblast appliance TE 250x in my office network. Please suggest how to integrate appliance in network and the best practice of policy configuration for appliance. RegardsVikas Arya
6dd15084-b97a-4
6dd15084-b97a-4 inside SandBlast Network a month ago
views 102 1

threat emulation step by step

I want to config TE device can you expert's help me to manage it properly.
Peter_Elmer
inside SandBlast Network 2019-06-14
views 514 1 8
Employee+

Infinity preventing known and unknown Gen V attacks using email as attack vector

This whitepaper outlines outlines some key elements for the defense against known and unknown GenV attacksavailable in the release R80.30. This version is focused on email as an attack vector and describes the configuration of the MTA functionality.
Wing_Chow
Wing_Chow inside SandBlast Network 2019-06-08
views 433 1

ICAP Server with VIRUS DETECTED: Scan Error

Hi all, I think that you can help me with this type of error when i'm implement a ICAP Server in R80.20..I need to configure with F5 and Sandblast for ICAP HTTP Emulation. I've tried with "sk" and admin guide for Threat Prevention about ICAP Server and all those information can't work fine 😞 This is the Error in the Check Point Devices: VIRUS DETECTED: Scan Error , http client ip: xx.xxx.xxx.xx, http user: -, http url: my.sites.com ICAP Client Configuration F5 BigIP LTMICAP Profile:URI: icap://${SERVER_IP}:${SERVER_PORT}/virus_scanHeaders: X-Client-IP, X-Server-IP, X-Authentication-User How to can i configure a good integration with ICAP Client and Check Point ICAP Server? Thanks!! Regards,
Miguel_Barrios
Miguel_Barrios inside SandBlast Network 2019-05-23
views 1739 3 4

Zero-Day Malicious File get Block but hash put on benign cache in TE

Hello CheckMates!I would like your opinion with the following behavior of Threat Emulation:One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with same hash were allowed (thus, received on mailboxes)!!!!I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.So now we have the following concerns:Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???How Check Point determine the confidence level for security events?Currently we have a case opened with TAC but despite we already sent a lot of information, they could not explain this behavior yet. Has someone experienced the same? I will appreciate your comments