I would like your opinion with the following behavior of Threat Emulation:
One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with same hash were allowed (thus, received on mailboxes)!!!!
I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:
As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)
We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.
So now we have the following concerns:
- Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???
- How Check Point determine the confidence level for security events?
Currently we have a case opened with TAC but despite we already sent a lot of information, they could not explain this behavior yet.
Has someone experienced the same? I will appreciate your comments