Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff_Gao
Advisor

Anti-Virus log prompt: "background classification mode was set"

Dear 

FW:23500     Version:R80.10       Hotfix:R80_10_JUMBO_HF_Bundle_T56_sk11638

I have set hold mode,refer to screenshots below:

TP configuration as follow:

But the log shows as follow:

Description:

                  Connection was allowed because background classification mode was set. See sk74120 for more information.

"loop.sawmilliner.com" is a C2 and malware site,as follow:

I have set classification mode to hold,why still show "background classification mode was set"

Thanks!

10 Replies
_Val_
Admin
Admin

You are looking to the wrong Software Blade. Threat Prevention is for downloads. For Site classification, you need AC and URL Filtering to be changed.  

Jeff_Gao
Advisor

Thanks,but log match anti-virusblade.This behavior is in the DNS request phase.Can't it be blocked by tp at the DNS request stage?

G_W_Albrecht
Champion
Champion

Look here:

0 Kudos
Jeff_Gao
Advisor

Thanks,I will try it.

Gaurav_Pandya
Advisor

Hi,

I have the same issue. I have put the URL filtering setting to Hold mode but still i am getting same logs of "It is allowed because background classification mode was set" in the logs.

0 Kudos
That_CP_Guy
Explorer

Was this ever resolved? I am facing the exact same issue. Thanks.

Hely_C
Explorer

I am also facing same issue. anyone has an idea?

Craig_Myers
Explorer

I have a customer with this same issue.  Does Check Point have a configuration fix for this or is this a bug?

0 Kudos
Angel_Lumbreras
Explorer

Hello, same issue here, any news about it?

0 Kudos
Trevor_Bruss
Contributor

Isn't this because Checkpoint changed how DNS classification occurs? So check out:

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Even though in your policy you've set Hold that will be relevant only for http, smtp, and smb. DNS will still be in background mode for optimization purposes. You'd have to manually change that in you malware_config file on the gateway if you want DNS to be in Hold mode as well.

I think what you are seeing here is normal based on the log you showed as this was a DNS query that got bypassed.

0 Kudos