Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andre_K
Contributor
Contributor

Embedded Office.com links in .PDF's

Hi all, I noticed that the Sandblast marks particulair.pdf files with an embedded link from Microsoft (in this case a custom created Office form via https://forms.office.com) as a malicious C&C site.  This is defiantly a false positive. Anyone experienced the same?. Of course I can follow sk118875 and submit this false positive for review by Check Point support but this is quite a hassle due to privacy rights and sharing customer data etc. Any suggestions are welcome.

0 Kudos
2 Replies
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi Andre,

you can control this feature via:

[Expert@Gateway:0]# tecli advanced analyzer
Command: root->advanced->analyzer

Available options:
show - display analyzer attributes values
enable - enable or disable analyzer investigator
max_embedded_files_limit - Set maximum embedded files limit
max_embedded_links_limit - Set maximum embedded links limit
prohibited - prohibited objects menu

[Expert@Gateway:0]# tecli advanced analyzer show
File Analyzer: ON
Maximum embedded files limit: 10
Maximum embedded links limit: 20
Block encrypted documents: OFF
Block documents that contain sensitive links (links to local or network path): OFF
Block documents that contain macros and code: OFF
Block documents with embedded word file type: OFF
Block documents with embedded excel file type: OFF
Block documents with embedded power point file type: OFF
Block documents with embedded executable file type: OFF
Block documents with embedded zip file type: OFF
Block documents with embedded flash file type: OFF
Block documents with embedded pdf file type: OFF
Block documents with embedded js file type: OFF

Reporting possible FPs to Check Point is valuable because it remediates also possible future FPs.

In many cases we can change "Detection rules" which is not simple file hash whitelisting. In such cases multiple FPs will be gone in a single effort if the behavioral detection behind the FP is the same. Detection rules are updated automatically.

Always remember that during opening a FP case we will check if the file is really malicious. There were cases in the past that first looked like a FP but during analysts investigation were proofed to be malicious.

Regards Thomas

0 Kudos
Andre_K
Contributor
Contributor

Hi Thomas, thank you for your reply. I am familiar with the analyzer but in this case it seems like the TE marks this particular link as malicious, it’s not an embedded file within the PDF.  I will might indeed consider submitting this possible FP to support for review. Thanks again!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events