Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ChoiYunSoo
Contributor

Does anyone know if there are any restrictions on scanning malicious URLs when using monitor mode?

Hi

 

Does anyone know if there are any restrictions on scanning malicious URLs when using monitor mode?

I am currently testing the check point e-mail security function in the internal environment in monitor mode.

Since it is a traffic mirror environment, MTA is disabled and only Threat Emulation, anti-virus, and anti-bot functions are enabled.

 

Functions such as file emulation are showing satisfactory test results.

However, in the case of mailcious URLs attached to e-mails, it seems that they cannot be inspected properly in Monitor mode.

As far as I know, malicious URLs should generate logs after performing reputation-based inspection.

Reputation.However, in the current test environment, no logs related to URLs are left.

It looks like it probably doesn't perform any checks.

 

I tested in a real environment, not a mirror environment, to check if the test URL information was incorrect.

In a real environment, I checked the normal URL inspection log as expected.

As mentioned at the beginning, if there are any restrictions when using the monitor mode in these inspection logics, please let us know.

 

 

Thanks

 

0 Kudos
4 Replies
Abigael_Levy
Employee Alumnus
Employee Alumnus

Hi @ChoiYunSoo 

I think you are asking in the wrong board. The forum for Harmony Email & Collaboration is here: https://community.checkpoint.com/t5/Email-and-Collaboration/bd-p/cloudguard-saas.

Thanks,

Abigael

 

0 Kudos
_Val_
Admin
Admin

@Abigael_Levy moved to more appropriate space

0 Kudos
PhoneBoy
Admin
Admin

This is referring to a Quantum Security Gateway running off a Mirror Port, so unrelated to Harmony Email and Collaboration 🙂
I believe MTA mode is required for scanning malicious URLs in email.
We definitely won't see malicious URLs in SMTP traffic when running off a Mirror Port if TLS is used.
Having said that, if you're seeing Threat Emulation for documents, malicious links inside of those documents should be scanned.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Anything usually done by the MTA cannot be done in this case, especially if the communication is TLS encrypted.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events