Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
zaoar
Explorer

Ant-Virus on MTA: Medium Confidence always "Detect" instead of "Prevent"

Hi all,

i am facing the below problem.

I have Sandblast appliance where it acts as MTA , and I have all the blades enabled (AntiBot, AntiVirus, Threat Emulation, Threat Extraction). IPS blade is disabled on the SG so not functional.

I have created the below profile:

2022-08-19 09_38_04-192.168.134.10 - SmartConsole.png

I have the problem mentioned on the title.

I would expect my AntiVirus blade to Prevent anything with a Severity of medium to Critical and Confidence Medium to High.

Although it is working fine for High-High or Critical -High it is not predictable for Medium severity.

I have logs that is Prevent and others that are Detect. The only difference i ve noticed is the "Risk" were in the prevent logs is above 90 and in the Detect is around 80. But i am straggling to find any documentation that proves this.

2022-08-19 09_51_47-192.168.134.10 - SmartConsole.png           2022-08-19 09_53_15-192.168.134.10 - SmartConsole.png

I have read similar issue in CheckMates for threat Emulation and there are multiple explenations about the way the mail is delivered(Rapid vs Hold) but AntiVirus has not such a setting.

I am surely missing something but just cant figure it.

Any help please.

 

Thanks,

 

0 Kudos
5 Replies
Chris_Atkinson
Employee
Employee

Can you please share one of the detect logs in more detail?

Please redact any sensitive parts...

0 Kudos
zaoar
Explorer

2022_08_19_12_54_00_Log_Details.png

2022_08_19_12_56_24_Log_Details.png

  

2022-08-19 13_01_55-Log Details.png

0 Kudos
Chris_Atkinson
Employee
Employee

Apologies I can't really make out the screenshots and the risk levels on my mobile device.

Thomas describes a similar case here that he reviewed in debugs, risk of above 80 should yield prevent unless something was changed.

https://community.checkpoint.com/t5/Threat-Prevention/SandBlast-and-links-inside-email/td-p/15798

0 Kudos
anstelios
Contributor

We are having a similar experience in our installations,

From the logs I've seen so far I can tell that the risk should be over 90 in order to get blocked!

Can someone from Checkpoint confirm this?? 

0 Kudos
Chris_Atkinson
Employee
Employee

I have enquired internally, please raise or share corresponding TAC SR details (via PM).

0 Kudos