This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Biju_Nair
Contributor
‎2017-10-08 10:11 AM

File size for emulation

Hi,

Is there a minimum file size for emulation.

I tried downloading a file from eicar.com which was 68 Bytes. But it didnt get emulated, while a file size of 308Bytes got emulated from the same site.

Is this configurable in TE appliance, where we could define the minimum and maximum file size for emulation.

also, Is it possible to exclude some traffic for emulation.

Regards,

Biju

0 Kudos
7 Replies
Albin_Hakansson
Participant
‎2017-10-08 11:36 AM

If you are running anti-virus while downloading the eicar file, it should have caught it and not have to be emulated.

Maximum file size can be configured. In R80.10 you can find it in "Manage & Settings -> Blades -> Threat Prevention -> Theat Emulation".

As far as I know, there is no lower limit, and it can't be configured

In the threat prevention policy, you decide the "Protected Scope". Here you  decide what traffic you want to be inspected according to which Threat prevention profile. So if you wish that some traffic should not be emulated, you can define a new rule, with a threat prevention profile that does not run Threat emulation.

This is assuming your activation mode is According to policy (Check Open the TE unit-> Threat Emulation)

0 Kudos
Biju_Nair
Contributor
‎2017-10-08 12:04 PM
In response to Albin_Hakansson

The reason for my question was I was trying to download a file from eicar.com which was 68Bytes and it didn't emulate. However a 308Bytes file got emulated. From the same website.

What could have happened that the 68Byte file didn't emulate.

Regards,

Biju Nair

Sent from my iPhone

0 Kudos
Albin_Hakansson
Participant
‎2017-10-08 12:15 PM
In response to Biju_Nair

I'm not sure. Was it the HTTPS file maybe and you are not running HTTPS inspection?

What does your traffic logs say?

0 Kudos
Biju_Nair
Contributor
‎2017-10-08 08:43 PM
In response to Albin_Hakansson

It was a http traffic. I forgot to mention one thing that the http traffic is actually from the proxy via ICAP to TE device.

To answer u.... In the firewall log it shows the ICAP traffic from proxy and then in the emulation log it doesnt show anything.

Regards,

Biju Nair

Sent from my iPhone

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-08 09:24 PM

You can set the maximum file size here (in R80.10):

0 Kudos
Prashant
Participant
‎2017-10-08 10:23 PM

Hi - Please see the AV/AB logs in case enabled, it might have processed with these blades before the file could be emulated. 

Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2017-10-27 06:49 AM
In response to Prashant

Nope. AV blade currently is not offically available in ICAP - so that can´t be the issue.

Did you check access.log of the ICAP server to be sure the EICAR.COM is really passed to us ?

access.log is stored in $FWDIR/log/c-icap/

It is advisable to change the logformat before consulting the log otherwise you won´t "see" much infos in this log.

To extend logging do the following:

1) vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
2) Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
3) Add this line before the abaove finding:
          LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
4) Change the AccessLog line to:
         AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

So the section in c-icap.conf should now look like this:
         LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
         AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat

So the troubleshooting flow should be:

1) Do you see the file from the proxy to our ICAP server in access.log

2) Do you see the file being handled in $FWDIR/log/ted.elg

Regards Thomas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events