This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-04-11 02:45 AM

Understanding Threat Emulation logs

In a TE log you can find additional important information how a file was processed:

In the example above "trusted source" means that this file was bypassed by the global whitelist hence it was not emulated.

Different values explained:

ValueComment
trusted sourcefile bypassed emulation due to Check Point maintained and automatically updated TE whitelist
emulatorfile was locally emulated on a SandBlast Appliance
cloud emulationfile was sent to cloud emulation
remote emulationfile was sent to a remote SandBlast Appliance for emulation (this log is usually issued by a gateway connected to a SandBlast appliance)
static analysisfile was pre-filtered by static analysis and was not emulated
local cachefile´s SHA1 was already found in cache (# tecli cache dump all) and was not emulated; action is based on the cached verdict
archivehandled file was an archive
loggerYou get "logger" for a "malicious" file as verdict decider when the file was not successfully emulated but other advisories already convitced the file as malicious
fileWhen trying to emulate the file the actual file size was 0

In depth info of e.g. static analyis, cache handling etc can be found in the amazing ATRG: Threat Emulation SK:

ATRG: Threat Emulation 

With this knowledge you can easily query all files that e.g. were really sent to cloud for emulation:

With SmartLogs Timeline results you can even quickly check how file amount was handled over a certain timeframe.

This is also helpful for investigating performance/throuput issues.

Reply
4 Replies
Olga_Kuts
Advisor
‎2018-08-01 05:47 AM

Thanks for explanation! But what does this output mean?

Win7,Office 2013,Adobe 11:logger

Reply
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-08-07 12:26 AM

Hi Olga,

good question 🙂

We run several so called "investigators" in TE. One of them is "logger" - it is responsible for creating a summarized report when the verdict is "malicious".

The logger is then sending the log to the Mgmt. When the verdict "decider" is "logger" it means that the file arrived at the logger investigator with no previous conviction by TE.

This can happen when emulation is not possible due to an error in the emulation process. So usually this results also in an emulation error but if other advisories (besides the sandbox emulation) already convicted the file as malicious the logger changes the "error" verdict to "malicious".

So as a summary:

You get "logger" for a "malicious" file as verdict decider when the file was not successfully emulated but other advisories already convicted the file as malicious.


Regards Thomas

Reply
Andre_K
Contributor
‎2019-10-04 04:08 AM
In response to Thomas_Werner

Dear Thomas,

Regarding the value 'trusted source', is it possible to view the contents of the TE whitelist maintained by Check Point?

Best regards,

Andre
Reply
felip3gustavo
Explorer
‎2020-03-18 09:36 AM

What about logs with "policy" ? We found that too with r80.30 gateway.

Win10 64b,Office 2016,Adobe DC: policy. Win7,Office 2013,Adobe 11: policy.

Reply