Hi all,
i am facing the below problem.
I have Sandblast appliance where it acts as MTA , and I have all the blades enabled (AntiBot, AntiVirus, Threat Emulation, Threat Extraction). IPS blade is disabled on the SG so not functional.
I have created the below profile:
![2022-08-19 09_38_04-192.168.134.10 - SmartConsole.png 2022-08-19 09_38_04-192.168.134.10 - SmartConsole.png](https://community.checkpoint.com/t5/image/serverpage/image-id/17466i352A34F4F4D1B34F/image-size/medium?v=v2&px=400)
I have the problem mentioned on the title.
I would expect my AntiVirus blade to Prevent anything with a Severity of medium to Critical and Confidence Medium to High.
Although it is working fine for High-High or Critical -High it is not predictable for Medium severity.
I have logs that is Prevent and others that are Detect. The only difference i ve noticed is the "Risk" were in the prevent logs is above 90 and in the Detect is around 80. But i am straggling to find any documentation that proves this.
![2022-08-19 09_53_15-192.168.134.10 - SmartConsole.png 2022-08-19 09_53_15-192.168.134.10 - SmartConsole.png](https://community.checkpoint.com/t5/image/serverpage/image-id/17468iF706E01A8E214805/image-size/medium?v=v2&px=400)
I have read similar issue in CheckMates for threat Emulation and there are multiple explenations about the way the mail is delivered(Rapid vs Hold) but AntiVirus has not such a setting.
I am surely missing something but just cant figure it.
Any help please.
Thanks,