This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Evgeniy_Olkov
Collaborator
Collaborator
‎2018-11-12 11:45 PM

Detect in Log and Prevent in Report. How can it be?

Hello. I need some help with Threat Emulation. Our customer have a couple of incidents with virus prevention.

A virus file can pass check point with detect in logs:

Matched Rules:

Rules:

Severity - Critical, Confidence Level - High. Threat Prevention profile:

At the same time if we open summury report we see Prevent:

What is wrong? Antivirus does not blok this file too.

8 Replies
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-11-12 11:55 PM

Just with a quick glance - Threat prevention profile shows "Standard" and next screenshot profile name is different

0 Kudos
Evgeniy_Olkov
Collaborator
Collaborator
‎2018-11-12 11:58 PM
In response to Kaspars_Zibarts

Sorry for that, it's just an example. I have not an original screenshots (just for now). 

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2018-11-13 02:15 AM
In response to Evgeniy_Olkov

It's all in the details. Actual screenshots showing your real sypmtoms will allow us to help you. Please replace the examples above with your real screenshots.

Evgeniy_Olkov
Collaborator
Collaborator
‎2018-11-14 11:49 PM
In response to Danny

I have updated screenshots

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-16 11:40 AM

Did the end user in question actually receive the document?

Evgeniy_Olkov
Collaborator
Collaborator
‎2018-11-17 12:32 AM
In response to PhoneBoy

Yes. Local antivirus detect it in received email.

Actually I have noticed that our other customer has the same problem. 

PhoneBoy
Admin
Admin
‎2018-11-17 08:02 AM
In response to Evgeniy_Olkov

I could see the Forensics piece saying prevent if AV ultimately caught it (even if TE didn’t).

A TAC case is probably warranted here.

0 Kudos
Evgeniy_Olkov
Collaborator
Collaborator
‎2018-11-18 10:34 PM
In response to PhoneBoy

Yes, I have created TAC case. They are going to organize remote session. I'll share the answer after.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events