Re: SMTP Emulation

chico · ‎2019-05-16

Hello everybody,
I'm new in the checkpoint devices and I have a question about the SandBlast for smtp.
Recently checkpoint blocked an attachment to a customer document. It was a word (.doc) document and after looking the logs I can see that the document was bloqued to protection name "Exploited doc document"

If I look the forensic details I can see that the vulnerable operating systems was for (as shown on the attachement file)
-Win7
-WinXP

So if I use a Windows 10 operating syseme, can I dowload the document serently ?

Regards,

TP_Master · ‎2019-05-16

Hi chico,
Welcome!

No, usually when a file is malicious on one OS it is also malicious on others. The reason we use these images (XP & 7) is that they are the most common and therefore attackers usually make their malware run on them. In the sandbox we want to entice the malware to run. But it doesn't mean that Windows 10 is secured against this file.

chico · ‎2019-05-21

Hello,

Thank you for your answer.

Do you know how to create an alert by mail or syslog when an critical smtp Emulation event arrive ? I don't find anything about that in the smartEvent.

Regards,

TP_Master · ‎2019-05-22

Are you able to create SME reaction / e-mail alert on Threat Emulation events in general? just don't know how to filter by Critical severity & SMTP?

chico · ‎2019-05-23

Hi,

I'm able to create reaction but I don't know how to filter by critical severity and SMTP protocole.

Regards,

Are you a member of CheckMates?

SMTP Emulation