This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Paul_Mainhardt1
Participant
‎2020-01-27 05:10 PM
Jump to solution

Anti-Virus Blade - Strict hold is not possible failure - Write to other side occured

I am getting a strange error from one of our servers that is trying to upload information to a remote site.

 

The file is getting blocked by the Anti-Virus Blade with the following error "Strict hold is not possible failure - Write to other side occured"

 

I tried putting in an exception for the antivirus blade but its not taking effect.

 

The gateways are running R80.30 T107 and we have just started to experience this issue as it was working previously. 

Preview file
37 KB
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-01-31 01:18 PM
Jump to solution

Strict Hold is a new feature in R80.30 related to Threat Extraction.
If you're not using Threat Extraction on the gateway, you can disable this feature.

If you are using Threat Extraction, there are a few TAC cases that suggest that the upgrade process from earlier releases did not add the necessary configuration to $FWDIR/conf/malware_config
You can confirm this by:

  • Checking if Hold Mode is enabled in SmartDashboard: Manage and Settings > Threat Prevention > General. If you're not using Threat Extraction, disabling this feature in SmartDashboard and installing policy should be sufficient.
  • Seeing if there is a section for strict_hold_configuration in $FWDIR/conf/malware_config on the gateway and it has a setting for strict_hold_enable. If it does not, you need to add the necessary configuration.

In this case, add the following lines to $FWDIR/conf/malware_config on every affected gateway.
Note you can adjust the configuration of these lines as necessary (e.g. if you want Strict Hold to be enabled, set the parameter to 1)

[strict_hold_configuration]
strict_hold_enable=0
enable_on_background_mode=0
min_size_to_upload=0
max_size_to_upload=100000000# when tex_over_te enabled - perform sending TEX extracted file to client without waiting for TE full emulation verdict.
tex_over_te=0
flexible_hold_precent_to_send=50
flexible_hold_total_time_to_trickle_in_minutes=4

[strict_hold_fail_open_config]
strict_hold_fail_open_flag=1
url_entry_timeout=30
url_key_type=1
compare_second_try_md5=0

Once you've made this change, perform a policy install to the relevant gateways for these changes to take effect.

View solution in original post

12 Replies
PhoneBoy
Admin
Admin
‎2020-01-31 01:18 PM
Jump to solution

Strict Hold is a new feature in R80.30 related to Threat Extraction.
If you're not using Threat Extraction on the gateway, you can disable this feature.

If you are using Threat Extraction, there are a few TAC cases that suggest that the upgrade process from earlier releases did not add the necessary configuration to $FWDIR/conf/malware_config
You can confirm this by:

  • Checking if Hold Mode is enabled in SmartDashboard: Manage and Settings > Threat Prevention > General. If you're not using Threat Extraction, disabling this feature in SmartDashboard and installing policy should be sufficient.
  • Seeing if there is a section for strict_hold_configuration in $FWDIR/conf/malware_config on the gateway and it has a setting for strict_hold_enable. If it does not, you need to add the necessary configuration.

In this case, add the following lines to $FWDIR/conf/malware_config on every affected gateway.
Note you can adjust the configuration of these lines as necessary (e.g. if you want Strict Hold to be enabled, set the parameter to 1)

[strict_hold_configuration]
strict_hold_enable=0
enable_on_background_mode=0
min_size_to_upload=0
max_size_to_upload=100000000# when tex_over_te enabled - perform sending TEX extracted file to client without waiting for TE full emulation verdict.
tex_over_te=0
flexible_hold_precent_to_send=50
flexible_hold_total_time_to_trickle_in_minutes=4

[strict_hold_fail_open_config]
strict_hold_fail_open_flag=1
url_entry_timeout=30
url_key_type=1
compare_second_try_md5=0

Once you've made this change, perform a policy install to the relevant gateways for these changes to take effect.

Shiran_Gold
Employee
Employee
‎2020-02-02 01:47 AM
Jump to solution

Hey Paul

 

We are aware of this issue.

It is relevant in HTTP 100 continue scenario.

 

The issue was resolved in R80.40 and planned to be integrated to R80.30 JHF.

** Editing - we've found cases where the issue is relevant to R80.40 and working on adding to jumbo as well **

 

Thanks

Shiran

Paul_Mainhardt1
Participant
‎2020-02-04 06:44 PM
In response to Shiran_Gold
Jump to solution

Hi Shiran,

 

is there any workaround short of disabling the blade?

0 Kudos
Shiran_Gold
Employee
Employee
‎2020-02-04 11:49 PM
In response to Paul_Mainhardt1
Jump to solution

Hey Paul,

If you are using Threat Extraction over HTTP - Strict hold is a must.

If not, you can disable strict hold feature (use legacy hold mechanism)

Go to $FWDIR/conf/malware_config
Search for strict_hold_enable parameter.
Change it from 1 to 0.
(strict_hold_enable=0)

Install Threat policy


Corey_Christmas
Participant
‎2020-08-10 04:24 PM
In response to Shiran_Gold
Jump to solution

Has this fix been added to R80.30 JHF?

0 Kudos
Yifat_Chen
Employee Alumnus
Employee Alumnus
‎2020-09-09 01:32 PM
In response to Corey_Christmas
Jump to solution

The fix is not yet in R80.30 Jumbo. R&D are working on a fix. We will update once it will be ready 

Christian_J
Explorer
‎2020-11-05 03:06 AM
In response to Shiran_Gold
Jump to solution

Hi Shiran,

that's not true! - We are currently on R80.40 HF 78 and rolled into this issue.

We had to disable the strict_policy in the config file!

So hopefully there will be a fix soon.

Thanks and regards,

Christian

0 Kudos
Shiran_Gold
Employee
Employee
‎2020-11-08 05:31 AM
In response to Christian_J
Jump to solution

Hey Christian

I have sent you a private message to further understand the scenario.

 

Thanks,

Shiran

0 Kudos
Yifat_Chen
Employee Alumnus
Employee Alumnus
‎2021-01-05 02:18 AM
Jump to solution

Fix was  released as part of Jumbo R80.40, take 91 

Check out our sk165456 :

 

PRJ-19579,
PRJ-16924		 Anti-Virus In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occurred" error message.
0 Kudos
Robin
Participant
‎2021-01-27 03:15 AM
In response to Yifat_Chen
Jump to solution

I saw PRJ-16924 was solved in the latest R80.30 take (226) but we still have a similar issue. PRJ-19579 is not mentioned in the list (sk153152). Does it mean it is not yet solved completely on R80.30? So far putting strict_hold_enable=0 seems to work (more testing needed as we didn't have the issue always).

0 Kudos
Mully
Participant
‎2021-02-15 01:09 PM
In response to Yifat_Chen
Jump to solution

Clean install and running R80.40 with installed take 91 with same problem.  This is still an on-going problem. 

0 Kudos
Yifat_Chen
Employee Alumnus
Employee Alumnus
‎2021-02-17 01:38 AM
In response to Mully
Jump to solution

Thanks for your comments, Please open a TAC ticket for this issue and we will check it with the relevant owner. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events