This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JPR
Collaborator
‎2023-11-22 06:45 AM

UserCheck page seemingly working randomly

Hi all,

I'm blocking Executables among other file types with Content Awareness and configured it to display a blocked UserCheck message when it hits that rule. However, the block message is not working all the time and I can't precisely figure out why.

This is the rule:

rule.png

And this is logs when it works:

works.png

And this is logs when it doesn't work (the rule as such works, however, it doesn't display the block message; it just cancels the download):

notworking.png

So, the apparent difference is that when it doesn't show the UserCheck message, the action is "Redirect" and when it does show it it's "Block". I've found another post discussing this, however, not a solution: https://community.checkpoint.com/t5/Management/Content-Awareness-things-that-do-not-work/m-p/139442#...

Is there a reason to this behaviour? And is it fixed in a later version? Running R81.

Thanks!

Best regards

0 Kudos
7 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-11-22 06:54 AM

sk100571: Webpage does not redirect to UserCheck page

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JPR
Collaborator
‎2023-11-27 06:38 AM
In response to G_W_Albrecht

Hi,

Thanks for your reply, however, I don't think it addresses my issue. It seems like it only fails to display the UserCheck message when the download link redirects the actual download somewhere else and it might be something to do what PhoneBoy mentions that it's simply not possible to inject the UserCheck page in the connection stream.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-11-22 07:22 AM

I had this issue before and below is how I fixed it.

Andy

 

 

Screenshot_1.png

 

Best,
Andy
JPR
Collaborator
‎2023-11-27 06:35 AM
In response to the_rock

Hi Andy,

Thanks for your reply. Unfortunately it didn't resolve the issue.

I suspect it has something to do with what PhoneBoy mentions in his comment, because it seems only to malfunction when the download link redirects the download to somewhere else which also would explain the "Redirect" log.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-11-27 06:39 AM
In response to JPR

You need https inspection 100%. Without it, even for URLF blade, it will just show you goofy page that its reset or something like that, so to a regular user, they will be calling your help desk all day long : - )

Andy

Best,
Andy
Timothy_Hall
MVP Gold
MVP Gold
‎2023-11-27 12:27 PM
In response to JPR

I've seen this before, if a detection was made in an HTTP download stream a UserCheck cannot be displayed since the browser is just expecting a stream of downloaded bytes that it is directing into a file, it is not parsing the downloaded contents for HTML code that could display a UserCheck to the user.  A TCP RST and failed download is the only way out here.  The "Redirect" action you saw means that a UserCheck was configured to be sent, but could not be for technical reasons, and the user never saw it.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
PhoneBoy
Admin
Admin
‎2023-11-23 06:26 AM

Depending on when in the connection stream we detect an executable is being downloaded, it may not be possible to inject a UserCheck page.
This almost certainly will require HTTPS Inspection to be enabled as well. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events