This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
Friday

AV blade/user check/windows updates

Hey guys,

Figured would share this, since customer and I had been working with TAC escalation guy for couple weeks and he told us would probably open a task with R&D to see if there is a way to make block page come up every time when specific file types are blocked (in our case msi and exe). Its somewhat inconsistent at this point, since random sites dont show block pages when msi file is blocked and some are even allowed. I will update once we have fully working solution, but in the meantime, figured would share some screenshos that can hopefully help others if you find yourself in similar situation.

Andy

Screenshot_2.png
Preview file
52 KB
Screenshot_3.png
Preview file
56 KB
Screenshot_1.png
Preview file
310 KB
Screenshot_7.png
Preview file
161 KB
Screenshot_6.png
Preview file
332 KB
Screenshot_5.png
Preview file
274 KB
Screenshot_4.png
Preview file
210 KB
0 Kudos
5 Replies
Lesley
Mentor Mentor
Mentor
Monday

I don't fully understand the issue, but here is what I can see

screenshot 1, I would the recommended bypass object listed in this SK:

https://support.checkpoint.com/results/sk/sk163595

Screenshot 7 rule 1 this rule will not match the traffic becuase it is set to N/A.
Therefore it will not hit the blades. I would recommend to right click it and add the blades you want to exclude(in this case AV)

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
Monday
In response to Lesley

Hey Lesley,

We had problem where windows updates were not working when msi and exe files were blocked through AV blade.

Andy

0 Kudos
JaAnd
Participant
Monday

Hi Andy,

maybe you could try to add in DST Updateble Object of recommended by CP HTTPS inspection bypass for Microsoft updates? It seems to be quite accurate in my use cases. Of course it might be sometimes to wide, but MS seems to be unpredictable in some ways 😜 Maybe good old manually defined URLs would do the job?

0 Kudos
the_rock
Legend
Legend
Monday
In response to JaAnd

Hey @JaAnd  🙂

Yes, thats what we did, just added microsoft defender and it worked. Regardless, blocking files and showing block page is absolutely needed and it has to work CONSTANTLY, which sadly, is far from what happens now.

Andy

0 Kudos
the_rock
Legend
Legend
Monday
In response to JaAnd

For what its worth, TAC guy originally had us add akamai, cloudflare and github to bypass, but though that fixed windows updates, it broke few sites for ssl inspection.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top