This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shahar_Grober
Advisor
‎2019-03-25 03:02 AM

MTA AV Exceptions

Hi, AV in MTA is blocking one of our emails coming from a trusted source This is a False positive. The only option I see to exclude the sender Mail Adress is in IPS profile --> Threat Emulation --> Excluded Mail Adresses. Is there a way to exlude Emails from MTA scanning until the issue is resolved with the AV?
0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2019-03-25 06:48 AM

Seems to me you could create a modified Threat Prevention policy to do this, where traffic coming from your partners SMTP server doesn't have AV applied…
0 Kudos
Shahar_Grober
Advisor
‎2019-03-26 03:00 AM
In response to PhoneBoy

The problem is that the traffic is incoming from the mail relay The AV MTA doesn't have a way to exclude email addresses (in opposite to TE MTA) According to TAC I have to use indicators to exclude it from Threat Prevention policy but this makes everything more complicated since I cannot only exclude the trusted sender email address
0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-26 02:45 PM
In response to Shahar_Grober

That's why I suggested using the IP address of the SMTP server (assuming they're coming from the same IP).
0 Kudos
Shahar_Grober
Advisor
‎2019-03-27 10:44 AM
In response to PhoneBoy

This is not possible because the IP address is of the mail relay External SMTP Mail server --> Mail Realy --> Check Point MTA --> Exchange The MTA sees only the mail relay so I cannot exclude the mail of the external SMTP server because the source is the mail relay
MikeB
Advisor
‎2019-09-05 01:16 PM
In response to Shahar_Grober

Hi @Shahar_Grober, Im experiencing the same situation with a client (AV MTA with false positive).
were you able to solve this??? I would greatly appreciate your comments
0 Kudos
Shahar_Grober
Advisor
‎2019-09-06 01:31 AM
In response to MikeB

Hi Miguel,

the easiest way is to use IOC Indicators exceptions (mark them as inactive)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)


documentation is not the greatest but you need to build a csv file in the following format

# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT
Indicator_bypsass https://abcd.com URL low low AV bypass1
Cristian_F_CCSM
Contributor
Contributor
‎2024-02-29 09:24 AM
In response to Shahar_Grober

Hello, we have the same issue.

We implemented the threat prevention exclusion for the URLs via Smart Console (global exeptions).

We will test the configuration in the next days, we will update the community.

Regards.

0 Kudos
Cristian_F_CCSM
Contributor
Contributor
‎2024-02-29 11:24 PM
In response to Cristian_F_CCSM

Hello, this configuration doesn't work.

We will proceed with IOC Indicators exceptions... stay tuned!

0 Kudos
Cristian_F_CCSM
Contributor
Contributor
‎2024-03-04 01:47 AM
In response to Cristian_F_CCSM

Hello, not even the use of IOC Indicators (inactive) solved the problem.
We will open an SR to the TAC.

Regards

0 Kudos
Cristian_F_CCSM
Contributor
Contributor
‎2024-03-05 06:34 AM
In response to Cristian_F_CCSM

Hello, we used sk166272 with success.

Regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top