This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Dan_Roddy
Collaborator
‎2019-04-26 02:54 PM

Capsule Cloud Threat Emulation

The following domains deliver files to our client Windows 10 workstations and mobile Surface books that are continuously Emulated despite my efforts to bypass emulation.  I do not consider files that deliver windows updates, checkpoint updates, symantec updates and others to be risky and emulating them is using unnecessary resources of time and licensing.  Has anyone tried to bypass cloud emulation for these domains?

 

Thank you,

 

Dan 

 

 

0 Kudos
Reply
4 Replies
Chris_Atkinson
Employee
Employee
‎2019-04-27 02:33 AM

Does the source in the emulation log say "Trusted Source" ?

Some of those "domains" or "services" you mention shouldn't actually result in the file being sent out to the cloud for emulation thanks to a global white list. 

 

0 Kudos
Reply
Dan_Roddy
Collaborator
‎2019-04-29 07:51 AM
In response to Chris_Atkinson

Thanks for the reply Chris, Yes for liveupdate.symantecliveupdate.com does show trusted source and benign verdict. But in this case, the file being emulated is a 7z filetype and all indications are the file is emulated. Also, I have Office templates in .cab files and also windowsupdate .cab (trused source:yes) and all these show 'analyzed_on' Check Point Threat Cloud. Where is the whitelist?
0 Kudos
Reply
Dan_Roddy
Collaborator
‎2019-04-29 07:59 AM
In response to Dan_Roddy

Another candidate for whitelisting is 'content.ivanti.com'. Ivanti has a patching application and they deliver windows patch files in .zip files. These file are extracted and deliver a benign verdict for every file in the zip. Multiply all these patch file by the number of workstations and you can see why our emulation file count per month is quite high. Can this work as advertised? Won't all these patch files from Microsoft have the same hash value?
0 Kudos
Reply
Dan_Roddy
Collaborator
‎2019-04-29 08:21 AM
In response to Dan_Roddy

Tell me about this one: EP Antibot downloads a .tar file from secureupdates.checkpoint.com that results in 'detect', reason: file size exceeded size limit, if this is whitelisted then why is the file size limit reached.
0 Kudos
Reply