This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marcel_Gramalla
Advisor
‎2021-03-10 07:15 AM
Jump to solution

Content Awareness not properly blocking files

Hello,

hope you're doing all well. We are in the process of evaluating the Check Point Threat Prevention Suite (against another solution) and we're stuck at Content Awareness right now. 

We just wanted to test a very basic rule to block executable files but we get very strange results - some files doesn't get blocked at all or only sometimes. TLS Inspection is enabled and the browser is limited to TLS 1.2 as we heard it may cause problems if the browser tries 1.3 and Check Point doesn't support it currently (R80.40 JHF 89).

The rule looks like this:

rule.PNG

The log entry looks like this when the file isn't blocked:

redirect_2.png

We can cleary see that the connections is Inspected and also the Rule and Data Type gets recognized correctly but the download is still possible.

We already tried a different host, putting the rule out of the inline layer and many small other things. Do you have any suggestion how to troubleshoot and what could be wrong?

0 Kudos
1 Solution

Accepted Solutions
Marcel_Gramalla
Advisor
‎2021-07-09 09:53 AM
In response to Marcel_Gramalla
Jump to solution

I just came across my own old topic here and wanted to add the solution we found together in a great TAC session a few weeks ago. 

The problem was in the HTTPS Inspection and not Content Awareness itself. We had the settings at "Background" and not "Hold" mode for a reason I don't remeber and that caused the issue. We also tried the UserCheck agent that I never heard of before and now we're also getting a pop-up if an error cannot be displayed in the browser.

View solution in original post

7 Replies
Benedikt_Weissl
Advisor
‎2021-03-10 08:08 AM
Jump to solution

Hi,

can you show us the UserCheck item settings? Maybe the fallback setting is set to "accept".

Regards

0 Kudos
Marcel_Gramalla
Advisor
‎2021-03-10 09:32 AM
In response to Benedikt_Weissl
Jump to solution

Hi,

which exact setting are you referring to? I couldn't find UserCheck setting for any fallback: 

usercheck_1.PNG

On Content Awareness it's set at fail-open:

ca_1.PNG

0 Kudos
Benedikt_Weissl
Advisor
‎2021-03-11 02:13 AM
In response to Marcel_Gramalla
Jump to solution

Then its a different UserCheck object, i thought it might be this setting and user notification can't be displayed:

 

usercheck.JPG

0 Kudos
Marcel_Gramalla
Advisor
‎2021-03-11 02:15 AM
In response to Benedikt_Weissl
Jump to solution

Ok, I see. The fallback option only appears on Ask-Templates but not on Drop-Templates. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-11 12:00 PM
Jump to solution

If you’re seeing an action of Redirect (which is what the log card says), it’s probably attempting to show the UserCheck drop page.
As it requires some data to be transferred to detect if it’s an EXE, it will appear as if a download starts but it should terminate before the file is completely downloaded.

For downloaded files, showing a block page is probably counterproductive since the web browser won’t show that to the end user.
In fact: I would remove the UserCheck action from the rule. 

0 Kudos
Marcel_Gramalla
Advisor
‎2021-03-12 12:19 AM
In response to PhoneBoy
Jump to solution

The drop page shouldn't be a problem as it shows correctly for other files that get blocked by the policy. I just tried changing the rule to just drop without UserCheck and the problem still exists. It's also a requirement for us to show the user that a file gets blocked on purpose and not just the fail message from the browser.

Let's see if TAC has any other ideas.

0 Kudos
Marcel_Gramalla
Advisor
‎2021-07-09 09:53 AM
In response to Marcel_Gramalla
Jump to solution

I just came across my own old topic here and wanted to add the solution we found together in a great TAC session a few weeks ago. 

The problem was in the HTTPS Inspection and not Content Awareness itself. We had the settings at "Background" and not "Hold" mode for a reason I don't remeber and that caused the issue. We also tried the UserCheck agent that I never heard of before and now we're also getting a pop-up if an error cannot be displayed in the browser.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events