This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sarm_Chanatip
Collaborator
‎2019-07-22 09:25 PM

Anti-Bot is not working as expected

Hi everyone!

I'm do testing Anti-Bot software blade in R80.30 and found something that looks like does not work as expected.

The Security Gateway is able to block definitely with Medium Confidence but if High Confidence does not work and the site test is bypassed, please see screenshots and explanations below

Here are the URLs that I used for Anti-Bot test purpose 

https://www.threat-cloud.com/test/files/LowConfidenceBot.html
https://www.threat-cloud.com/test/files/MediumConfidenceBot.html
https://www.threat-cloud.com/test/files/HighConfidenceBot.html

http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

 

1st screenshot.ab4.jpg
I have already enabled and configured profile on Activation Mode, both High and Medium confidence are Prevented, only Low confidence will be detected.

2.nd screenshot.abt1.jpg

Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/HighConfidenceBot.html
( found nothing blocking from the gateway and any logs ) The user could access the site.

 
3rd screenshot.
abt2.jpg

 

 

 

ab1.jpg
Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/MediumConfidenceBot.html

The Gateway was able to block this site definitely as expected due to this site is detected as a Medium Confidence level.

 

4th screenshot.
abt3.jpg

 

ab2.jpg

Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/LowConfidenceBot.html

The Gateway was able to detect this site definitely as expected due to this site is detected as a Low Confidence level.

 

5th screenshot,
abt4.jpg

 

ab3.jpg


Test Anti-Bot with High Confidence by connecting to http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

The Gateway wasn't able to block this site as expected. And from the logs found it appears to redirect an action

 

My question is why does the security gateway is not able to block the site https://www.threat-cloud.com/test/files/HighConfidenceBot.html and http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html?

 

Anyone has any ideas on this.

 

Really appreciate every comment.

 

Regards,

Sarm

 

0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-07-23 08:30 AM

Hi Sarm,

Some of the URLs in question are generally used to test / trigger Endpoint (Sandblast Agent) are you seeing different behavior on other gateway versions?

Another useful tool that you may already be familiar with is CheckMe.

Regards,
Chris
CCSM R77/R80/ELITE
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-07-31 12:39 AM
In response to Chris_Atkinson

Hi Chris,

 

Thank you for comment.

 

As this is the latest version and I think it should be able to block as expected.

I had ever tested this prior R80.30 such as R80.10/R80.20 for example if I recall correctly they were blocked in those versions.

 

However, I also do a test on SandBlast Mobile Agent but they are not getting blocked as well.

 

Regards,

Sarm

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-07-31 12:46 AM
In response to Sarm_Chanatip

Hi Sarm,

Why do you think it is expected? The URLs are for Endpoint Security testing (Endpoint Complete / SandBlast Agent).

Consider the scenario that if the Gateway were to block them it would be difficult to test the Endpoint.

Regards,
Chris

CCSM R77/R80/ELITE
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-07-31 12:53 AM
In response to Chris_Atkinson

Hi Chris,

 

Thanks for a quick reply.

 

I'm probably wrong if some of URLs are only supported for Endpoint Security testing.

But if we consider the link Test Anti-Bot (http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html) from Check Point ThreatWiki this should work, right?  But it does not.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-07-31 12:58 AM
In response to Sarm_Chanatip

Thanks for clarifying, will confirm the status of the ThreatWiki link in particular and revert.

CCSM R77/R80/ELITE
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-07-31 01:01 AM
In response to Chris_Atkinson

Otherwise, please ensure that Test Threat Emulation link works also because it just has only Test Anti-Virus link works

 

Thank you in advance.

 

Regards,

Sarm

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-07-31 05:48 AM
In response to Sarm_Chanatip

 

Lab Scenario 1. All Anti-bot tests triggered (note the Protection Name & Resource).

Gateway: R80.20
Browser: IE11 

ABOT.png

Will follow-up with R80.30 confirmation as time permits.

 

CCSM R77/R80/ELITE
0 Kudos
Dave_Hollis
Explorer
‎2019-08-14 02:17 PM
In response to Chris_Atkinson

I've found that Firefox 68.0.1 and Chrome 76.0.3809.100 on Mac do not get the UserCheck page when using the Antibot test pages, but Safari does as does IE on Windows.  The threat-cloud tests don't seem to trigger it with any browser on Mac (going through 80.30 gateways).

0 Kudos
Mario_Zuker
Employee
Employee
‎2019-08-15 08:58 AM
In response to Sarm_Chanatip

Hi Sarm,

I noticed http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html is redirected to
https://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html

Can you try the following? In HTTPS inspection disable Bypass HTTPS inspection of well-known update services

 bypass-httpsi.PNG

 

 

sc1.checkpoint.com is a Check Point software update service

Regards,

marioz

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events