This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckPoint_IT
Explorer
Tuesday

Enduser still can download Malware from Public Github although implement Https inspection and IPS

Hi Everyone,

I have a problem with IPS and HTTPS Inspection on CheckPoint Firewall.

I implemented HTTPS Inspection and IPS for Internal traffic and everything seems to work fine (HTTPS traffic being inspected and IPS, Antivirus detect and block access to malicious files).Untitled.png

 

But when I tried to use git clone to download a malware test file from git hub, nothing happened and I still can successfully download this file. 

 

➜ ~ git clone https://github.com/fire1ce/eicar-standard-antivirus-test-files.git 

Cloning into 'eicar-standard-antivirus-test-files'...
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 42 (delta 4), reused 5 (delta 1), pack-reused 29
Receiving objects: 100% (42/42), 177.01 KiB | 280.00 KiB/s, done.
Resolving deltas: 100% (18/18), done.

➜ ~ ls | egrep eicar
eicar-standard-antivirus-test-files

HTTPS traffic is still inspected by the Firewall, but IPS and antivirus do not work. I tried downloading this file/folder directly from my browser but everything worked fine.

Does anyone have the same problem as me? Does anyone have any advice or suggestions on where I've misconfigured?

Thanks.

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
Wednesday

For testing anything with EICAR, make sure you do the following on the relevant gateways: fw ctl set int g_ci_av_eicar_handling_mode 2

See also: https://support.checkpoint.com/results/sk/sk109113

0 Kudos
CheckPoint_IT
Explorer
yesterday
In response to PhoneBoy

Thank @PhoneBoy 

I have changed int g_ci_av_eicar_handling_mode as you mentioned above.  But, I still can download EICAR by git clone command. 

 

Cloning into 'eicar-standard-antivirus-test-files'...

remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (10/10), done.
Receiving objects: 14% (6/42)

Receiving objects: 26% (11/42)
Receiving objects: 38% (16/42)
Receiving objects: 40% (17/42), 68.00 KiB | 104.00 KiB/s
Receiving objects: 47% (20/42), 68.00 KiB | 104.00 KiB/s
remote: Total 42 (delta 4), reused 5 (delta 1), pack-reused 29
Receiving objects: 100% (42/42), 177.01 KiB | 175.00 KiB/s, done.
Resolving deltas: 38% (7/18)
Resolving deltas: 100% (18/18), done.

The connection is still inspected by HTTPS Inspection but IPS and antivirus do nothing.

Do you have any other suggestions? Am I configuring something wrong or is the git clone running in some other way that Checkpoint cannot inspect?

Thanks.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 09 Jul 2024 @ 11:00 AM (CDT)

    Americas: Maestro Migration and Upgrade Best Practices
    In-Person

    Thu 11 Jul 2024 @ 10:00 AM (BST)

    CheckMates Live London

    Tue 30 Jul 2024 @ 05:00 PM (CEST)

    Under the Hood: CloudGuard Controller Unleashed
    In-Person

    Thu 11 Jul 2024 @ 10:00 AM (BST)

    CheckMates Live London
    CheckMates Events