This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andreas_Ahrnby
Contributor
‎2020-05-06 01:08 PM

Content awareness

Hi,

I have a rule that allow MS Office files to be uploaded to a FTP server and I block execute files. 

But if I import an execute file inside an excel file the blade let the file pass. 
Cant the blade be this “smart” to see the inserted .exe or i am doing something wrong here?

6 Replies
HristoGrigorov
MVP Gold
MVP Gold
‎2020-05-06 08:40 PM

Most File Type Recognition libraries rarely iterate over entire file content for performance reasons. In most cases they only look for predefined patterns to "guess"file type.

Notice that you are uploading Excel file with binary content inside it but it is after all Excel file which is allowed by the policy.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-10 05:19 PM

What rule comes first, the one that blocks EXE files or the one that allows Excel?
Order matters.
0 Kudos
Andreas_Ahrnby
Contributor
‎2020-05-10 09:24 PM
In response to PhoneBoy

The exe block rule is first.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-13 09:24 AM
In response to Andreas_Ahrnby

Might be worth a TAC case to confirm this is correct behavior.
0 Kudos
Andreas_Ahrnby
Contributor
‎2020-05-13 11:12 AM
In response to PhoneBoy

Actually I find out that the content sees the embedded file but not as its file name but as a inobject.bin. Don’t remember the exact name now so what I did was to make a own template and block everything with .bin

this behavior seems only to be with MS office files, if I take an .pdf with an embedded .exe file it gets blocked and the blade can see the exact filename inside the .pdf

PhoneBoy
Admin
Admin
‎2020-05-13 03:11 PM
In response to Andreas_Ahrnby

At least you have a workaround, which is good.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events