Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckPoint_IT
Explorer

Enduser still can download Malware from Public Github although implement Https inspection and IPS

Hi Everyone,

I have a problem with IPS and HTTPS Inspection on CheckPoint Firewall.

I implemented HTTPS Inspection and IPS for Internal traffic and everything seems to work fine (HTTPS traffic being inspected and IPS, Antivirus detect and block access to malicious files).Untitled.png

 

But when I tried to use git clone to download a malware test file from git hub, nothing happened and I still can successfully download this file. 

 

➜ ~ git clone https://github.com/fire1ce/eicar-standard-antivirus-test-files.git 

Cloning into 'eicar-standard-antivirus-test-files'...
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 42 (delta 4), reused 5 (delta 1), pack-reused 29
Receiving objects: 100% (42/42), 177.01 KiB | 280.00 KiB/s, done.
Resolving deltas: 100% (18/18), done.

➜ ~ ls | egrep eicar
eicar-standard-antivirus-test-files

HTTPS traffic is still inspected by the Firewall, but IPS and antivirus do not work. I tried downloading this file/folder directly from my browser but everything worked fine.

Does anyone have the same problem as me? Does anyone have any advice or suggestions on where I've misconfigured?

Thanks.

 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

For testing anything with EICAR, make sure you do the following on the relevant gateways: fw ctl set int g_ci_av_eicar_handling_mode 2

See also: https://support.checkpoint.com/results/sk/sk109113

0 Kudos
CheckPoint_IT
Explorer

Thank @PhoneBoy 

I have changed int g_ci_av_eicar_handling_mode as you mentioned above.  But, I still can download EICAR by git clone command. 

 

Cloning into 'eicar-standard-antivirus-test-files'...

remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (10/10), done.
Receiving objects: 14% (6/42)

Receiving objects: 26% (11/42)
Receiving objects: 38% (16/42)
Receiving objects: 40% (17/42), 68.00 KiB | 104.00 KiB/s
Receiving objects: 47% (20/42), 68.00 KiB | 104.00 KiB/s
remote: Total 42 (delta 4), reused 5 (delta 1), pack-reused 29
Receiving objects: 100% (42/42), 177.01 KiB | 175.00 KiB/s, done.
Resolving deltas: 38% (7/18)
Resolving deltas: 100% (18/18), done.

The connection is still inspected by HTTPS Inspection but IPS and antivirus do nothing.

Do you have any other suggestions? Am I configuring something wrong or is the git clone running in some other way that Checkpoint cannot inspect?

Thanks.

 

 

0 Kudos
PhoneBoy
Admin
Admin

Is Anti-Virus enabled?
If not, it needs to be.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events