Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marcel_Gramalla
Advisor
Jump to solution

Content Awareness not properly blocking files

Hello,

hope you're doing all well. We are in the process of evaluating the Check Point Threat Prevention Suite (against another solution) and we're stuck at Content Awareness right now. 

We just wanted to test a very basic rule to block executable files but we get very strange results - some files doesn't get blocked at all or only sometimes. TLS Inspection is enabled and the browser is limited to TLS 1.2 as we heard it may cause problems if the browser tries 1.3 and Check Point doesn't support it currently (R80.40 JHF 89).

The rule looks like this:

rule.PNG

The log entry looks like this when the file isn't blocked:

redirect_2.png

We can cleary see that the connections is Inspected and also the Rule and Data Type gets recognized correctly but the download is still possible.

We already tried a different host, putting the rule out of the inline layer and many small other things. Do you have any suggestion how to troubleshoot and what could be wrong?

0 Kudos
1 Solution

Accepted Solutions
Marcel_Gramalla
Advisor

I just came across my own old topic here and wanted to add the solution we found together in a great TAC session a few weeks ago. 

The problem was in the HTTPS Inspection and not Content Awareness itself. We had the settings at "Background" and not "Hold" mode for a reason I don't remeber and that caused the issue. We also tried the UserCheck agent that I never heard of before and now we're also getting a pop-up if an error cannot be displayed in the browser.

View solution in original post

7 Replies
Benedikt_Weissl
Advisor

Hi,

can you show us the UserCheck item settings? Maybe the fallback setting is set to "accept".

Regards

0 Kudos
Marcel_Gramalla
Advisor

Hi,

which exact setting are you referring to? I couldn't find UserCheck setting for any fallback: 

usercheck_1.PNG

On Content Awareness it's set at fail-open:

ca_1.PNG

0 Kudos
Benedikt_Weissl
Advisor

Then its a different UserCheck object, i thought it might be this setting and user notification can't be displayed:

 

usercheck.JPG

0 Kudos
Marcel_Gramalla
Advisor

Ok, I see. The fallback option only appears on Ask-Templates but not on Drop-Templates. 

0 Kudos
PhoneBoy
Admin
Admin

If you’re seeing an action of Redirect (which is what the log card says), it’s probably attempting to show the UserCheck drop page.
As it requires some data to be transferred to detect if it’s an EXE, it will appear as if a download starts but it should terminate before the file is completely downloaded.

For downloaded files, showing a block page is probably counterproductive since the web browser won’t show that to the end user.
In fact: I would remove the UserCheck action from the rule. 

0 Kudos
Marcel_Gramalla
Advisor

The drop page shouldn't be a problem as it shows correctly for other files that get blocked by the policy. I just tried changing the rule to just drop without UserCheck and the problem still exists. It's also a requirement for us to show the user that a file gets blocked on purpose and not just the fail message from the browser.

Let's see if TAC has any other ideas.

0 Kudos
Marcel_Gramalla
Advisor

I just came across my own old topic here and wanted to add the solution we found together in a great TAC session a few weeks ago. 

The problem was in the HTTPS Inspection and not Content Awareness itself. We had the settings at "Background" and not "Hold" mode for a reason I don't remeber and that caused the issue. We also tried the UserCheck agent that I never heard of before and now we're also getting a pop-up if an error cannot be displayed in the browser.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events