Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

MTA and threat emulation behavior and logs

Sometimes when we get a threat coming in via e-mail, we only see logs from the MTA and Anti-spam/anti-bot blades, even when these e-mails contain links and attachments. Fortunately our secondary anti spam and malware appliance is able to detect and block these.

 

I would expect because of the attachments and links, this traffic would get processed by threat emulation and threat extraction. I see t he MT A has flagged it as a threat with 1 link and 1 attachment, but no forensics.

I find  that I'll still see threat emulation logs for e-mail attachments, not sure why I don't see them in some cases. 

 

the MTA log doesnt show the file name, and looking at threat emulation and extraction logs around the same time frame comes up with no related results.

Is this normal behavior, and I'm just not understanding the blades correctly?

2020-01-30_10h30_38.png

 

2020-01-30_10h31_34.png

2020-01-30_10h32_58.png

0 Kudos
Reply
4 Replies
Leader
Leader

David,

your shown messages are detected with malicious code ( links, text etc.) from the AntiSpam blade.

They are not blocked, they are flagged with „suspected spam“ and delivered to the next hop. This behaviour is configured via the AntiSpam-Blade.

If you want to remove these type of links from the message, you have to enable this function in your ThreatPreventionProfile for the MTA under the mail part.

Wolfgang

0 Kudos
Reply

Hi Wolfgang,

 

I do have those options enabled. From what i'm understanding you're saying, if the AV blade detects something, even at a medium confidence level, then the threat extraction and threat emulation blades will be ignored.

Wouldn't it be beneficial if the AV blade has a medium confidence level to have the mail still process through the other blades to see if they detect something at a higher confidence level?

 

2020-01-30_15h10_09.png

 

 Edit* added in a better screenshot with more info 

0 Kudos
Reply
Leader
Leader

David,

you wrote "From what i'm understanding you're saying, if the AV blade detects something, even at a medium confidence level, then the threat extraction and threat emulation blades will be ignored."

No, definitely not. Both blades are processing those messages. But something of the content of your message is only detected by the AntiSpam blade. Maybee an offer like for **bleep** enlargements or anything else like this. This is called SPAM, not really malicious but unwanted. If you want to block these with AntiSpam blade you have to change the SPAM level behaviour.

It looks like the other blades didn't detect any malicious content. You can take the information about these content from your other mail-scanning solution and check with Check Point if this is  known to Check Point.

Wolfgang

0 Kudos
Reply

Maybe i'm misunderstanding the logging behavior.  I thought I would see line items for the threat emulation blade in the logs, even when they pass/accept, not just the MTA and anti spam logs.

Our secondary MTA detonated and detected the attachments on these emails as containing malware and blocked them, not as spam.  unfortunately I can't get the attachments to detonate in the sandblast cloud now to see if it was just sandblast that couldn't detect them after detonation.

Checking back, I don't see the logs for threat emulation for attachments from occasional senders after installing MTA jumbo take 37 (r80.30), but I do before that take.

 

 

0 Kudos
Reply