Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shahar_Grober
Advisor

MTA AV Exceptions

Hi, AV in MTA is blocking one of our emails coming from a trusted source This is a False positive. The only option I see to exclude the sender Mail Adress is in IPS profile --> Threat Emulation --> Excluded Mail Adresses. Is there a way to exlude Emails from MTA scanning until the issue is resolved with the AV?
0 Kudos
10 Replies
PhoneBoy
Admin
Admin

Seems to me you could create a modified Threat Prevention policy to do this, where traffic coming from your partners SMTP server doesn't have AV applied…
0 Kudos
Shahar_Grober
Advisor

The problem is that the traffic is incoming from the mail relay The AV MTA doesn't have a way to exclude email addresses (in opposite to TE MTA) According to TAC I have to use indicators to exclude it from Threat Prevention policy but this makes everything more complicated since I cannot only exclude the trusted sender email address
0 Kudos
PhoneBoy
Admin
Admin

That's why I suggested using the IP address of the SMTP server (assuming they're coming from the same IP).
0 Kudos
Shahar_Grober
Advisor

This is not possible because the IP address is of the mail relay External SMTP Mail server --> Mail Realy --> Check Point MTA --> Exchange The MTA sees only the mail relay so I cannot exclude the mail of the external SMTP server because the source is the mail relay
MikeB
Advisor

Hi @Shahar_Grober, Im experiencing the same situation with a client (AV MTA with false positive).
were you able to solve this??? I would greatly appreciate your comments
0 Kudos
Shahar_Grober
Advisor

Hi Miguel,

the easiest way is to use IOC Indicators exceptions (mark them as inactive)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)


documentation is not the greatest but you need to build a csv file in the following format

# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT
Indicator_bypsass https://abcd.com URL low low AV bypass1
Cristian_F_CCSM
Contributor
Contributor

Hello, we have the same issue.

We implemented the threat prevention exclusion for the URLs via Smart Console (global exeptions).

We will test the configuration in the next days, we will update the community.

Regards.

0 Kudos
Cristian_F_CCSM
Contributor
Contributor

Hello, this configuration doesn't work.

We will proceed with IOC Indicators exceptions... stay tuned!

0 Kudos
Cristian_F_CCSM
Contributor
Contributor

Hello, not even the use of IOC Indicators (inactive) solved the problem.
We will open an SR to the TAC.

Regards

0 Kudos
Cristian_F_CCSM
Contributor
Contributor

Hello, we used sk166272 with success.

Regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events