This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sangeeth_N
Contributor
‎2018-12-03 08:06 PM

Anti-Virus not blocking malicious .zip, .doc files.

Observed in SmartEvent that the Anti-virus is not preventing the malicious files with extension .doc, .zip etc [with severity : critical and confidence : High ], instead it is just getting detected.

I would like to know whether this is a normal behavior in hashtag#checkpoint or did i have to make any changes in my anti-virus profile configured in threat prevention blade?

Note : Threat Emulation is not enabled in this environment.

8 Replies
PhoneBoy
Admin
Admin
‎2018-12-03 08:22 PM

A screenshot of the log (with sensitive data masked) might be helpful.

Also curious what setting you're using for Resource Classification as shown here:

0 Kudos
Sangeeth_N
Contributor
‎2018-12-03 10:24 PM
In response to PhoneBoy

Hi Dameon

 

Kindly find the relevant logs regarding the issue.

 

Log from SmartEvent :

 

Engine settings :

 

 

 

Anti-virus Profile :

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-03 11:06 PM
In response to Sangeeth_N

The first thing I would do is try setting the Resource Classification Mode to Hold instead of Background.

This will not allow the entire file to be sent to the endpoint until it is scanned.

0 Kudos
Sangeeth_N
Contributor
‎2018-12-04 10:02 PM
In response to PhoneBoy

Hi Dameon

I got your point. At this point we cannot set the Resource classification to Hold, as there will be an impact on traffic as it holds the files till the scanning is completed .

But the thing is, i am I able to observe some of the events with Severity High and confidence level High is getting prevented by Antivirus inspection. but the same is not happening for Critical events. Any idea on this?

And it will be really helpful if you let me know what the "inspect" option under [Threat Prevention->Profile->(Profile name)->Anti-Virus settings->Process specific file types families ] do and what will be the outcome of it?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-04 10:18 PM
In response to Sangeeth_N

In some cases, the file can be blocked by URL or other characteristics without transferring the entire file.

This may be why you are seeing "prevent" in some cases and "inspect" in others.

It's likely a side effect of leaving Resource Classification in Background.

If you're concerned about end users being impacted by putting Resource Classification in Hold, create a separate Threat Prevention profile just for your mail server where it set to Hold.

Create a Threat Prevention rule that refers to your email server in the Protected Scope and apply your new profile.

Mail is pretty fault-tolerant and should not be negatively impacted by this.

In the Threat Prevention profile with regard to extensions

  • Inspect means submit to ThreatCloud for analysis and allow only if deemed safe.
  • Block means don't allow the attachment at all (irrespective of the file 
EvilGenius
Explorer
‎2023-06-20 06:44 AM
In response to PhoneBoy

My smartdashboard only consist of 4 categories. Is there anything that I will have to change to make the other categories appear as well. I am currently using Checkpoint Network All In One Security. 

 save.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-06-20 07:40 AM
In response to EvilGenius

A lot of the options from that area in previous (old) releases are now in the main SmartConsole.

The version mentioned in this thread being a no longer supported one in R77.30

CCSM R77/R80/ELITE
0 Kudos
Norbert_Bohusch
Advisor
‎2018-12-03 11:05 PM

Background classification means the file passes and classification is done afterwards.

With hold it would wait for classification and the allow/block it based on verdict.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events