This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2019-04-10 12:53 AM

MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

OS : R80.20 both Gateway and Management Server and also TE.

TE Engine Version : 58.990000298 

HotFix : R80.20 Jumbo Hotfix Take_33

MTA : R80_20_mta Take 27

BLADE: Threat Emulation | Threat Extraction | Antivirus | AntiBot  | IPS 

We configure Gateway as a MTA.

We using both Threat Emulation and Threat Extraction only for SMTP traffic.

I did some testing and find below results.

Scenario1 : When we put malicious URL on mail body.

Results: Malicious URL was totally removed.

Scenario2 : When we put malicious URL on Mail Subject.

Results : Malicious URL was modified but not totally removed.

Scenario3 : When we put malicious URL on Mail Subject and also in Mail Body.

Results : Malicious URL was modified on Subject but not in the mail body , still the malicious URL in mail body showing as is it.

Scenario4 : For example I put genuine URL on Mail subject like "www.google.com" and put malicious URL in Mail body.

Results: Malicious URL was removed from Mail Body and no changes on Mail Subject.


QUERY : If I put the same malicious URL in a attachment then :


Is this malicious URL is totally we able to removed in attachment ?

Is this only remove the hyper link in attachment ?

Is this possible to modified the malicious URL in attachment ?

Also Scenario5: If I send a malicious URL with out "https or http" then URL is not able to detect.
So is URL reputation is only check if URL is in started from http or https  only.

@Chinmaya_Naik 

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-04-10 01:48 AM

This is an interesting test - but except the used appliance TE100x, we do neithr know CP Version, TE engine version nor Jumbo take installed !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chinmaya_Naik
Advisor
‎2019-04-10 02:06 AM
In response to G_W_Albrecht

Updated

We also plane to upgrade the MTA , HotFix and also TE Engine and check the behavior.

@Chinmaya
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-04-10 03:01 AM
In response to Chinmaya_Naik

The TE engine itself is two steps from current - your version is from 16-Jan-19,

current Engine:58.990000617 from 31-Mar-19.

 

Jumbo HotFix : R80.20 Jumbo Hotfix Take_33 is from 08 January 2019, GA from 04 February 2019,

current General Availability Take 47 is from 24 February 2019, GA from 25 Mar 2019, Ongoing Take 73 (08 Apr 2019) is also available (but not yet supported by the MTA update package 😞

 

MTA : R80_20_mta Take 27,

current version is R80_20_mta Take 31 from 4.4.19

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chinmaya_Naik
Advisor
‎2019-04-10 03:07 AM
In response to G_W_Albrecht

@G_W_Albrecht 

Thanks for your reply.

Yes I understand  and I will update to latest version and check But have any body face this behavior yet ?

@Chinmaya_Naik 

Chinmaya_Naik
Advisor
‎2019-07-02 10:54 PM
In response to Chinmaya_Naik

Hi Team,

Anyone help me to clarify the concept.

I need a clear idea about how exactly MTA work with the malicious link when I send via Mail Body, Mail Subject and Attachment.

We need to give a clear idea to our customer. 

Thanks in Advanced.

Regards

Chinmaya 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-07-03 01:31 AM
In response to Chinmaya_Naik

I would suggest to open a SR# with CP TAC to get answers on this !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events