AV behavior with TE enabled

nagaraja_cs · ‎2019-01-02

Hi everyone,we have setup where IPS,AB ,AV and TE is enabled.TE is enabled on separate device and integrated in gateway.

We have bypassed password protected file from Threat Emulation(TE) ,this behavior works fine when all blades are enabled(IPS,AB,AV,TE) and there is no log for AV,we can see benign log for TE.

But when I disable TE ,the same password protected file will be blocked by AV,we can see the prevent logs for AV.

I want to understand how the threat prevention engine behaves when we enable all the blades,is it bypassing the AV ?

If so why it is bypassing ?

Why the same file is not inspecting by AV when AV is enabled alongwith TE.

SSlater · ‎2019-01-02

The Threat Prevention Engine behaves as per Configuration when we enable all the blades, or a limited number of them.

We will rely on the configuration from your Threat Prevention Profile for Inspection Settings for AV, and TE.

When TE (Threat Emulation) is enabled, and configured for specific filetypes, it will incorporate AntiVirus into it's inspection, and if configured to By-Pass based on specific criteria, we will see a Bypass, or Benign result based on bypass.

When TE is Disabled, Anti-Virus will be operating on it's own.

- In my experience, I have not seen AV Blade having the ability to deal with Password-Protected files.

- If you can post a Log of the AV Drop, we may be able to see that it relied on Fail-Mode for the Block/Drop Action.

- If you aren't comfortable posting your Network Logs in the community forum, I recommend a TAC Ticket.

nagaraja_cs · ‎2019-01-03

We have two profiles,one for only AV and another for IPS+AV+AB+TE.

Engine setting is set to Fail-Close mode and Resource Classification mode is set to 'Hold' for both profiles.

Some of the files are getting blocked with error "Failed to process file" when we select the profile where only AV is enabled.

I will share the log screenshot in sometime.

Are you a member of CheckMates?

AV behavior with TE enabled