Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sean_Roth
Participant
Participant

Determining Which Anti-Bot, Anti-Virus, Threat Emulation Overrides Are Active

Hi, I was wondering if there is a way to see a list of overrides for "Anti-Bot\Anti-Virus\Threat Emulation" as shown in SmartConsole. The Threat Prevention "Profiles" tab shows this:

3_protection--Engine_Overrides.PNG

And when one clicks the "3 Protections\\Engine overrides" link shown above, we are brought to this "Protections" screen:

Engine_Protections_Screen.PNG

I'm having a really hard time understanding where these overrides are. I have gone through each individual protection looking for a little person icon to indicate that the action was overridden, but I could only find 1, rather than the 3 overrides shown on the profiles screen. I reviewed all 1,000 of the "Malicious Activity" protections (as well as the 114 "Unusual Activity" protections) and couldn't find any additional overrides. I found that using [ Actions ] > [ Restore Selected ] did not reduce the number of overrides, except for the "Reputation IPs" protection (which is the only override that I could see/detect already). I also noticed that the Protections tab "Known Today" column shows 8,025 protections for "Malicious Activity", while the window where I can review them only shows 1,000 of the total. 

how_many_exactly.png

Could this be where the remaining 2 overrides are? Is there a better way to determine what the overrides are? Maybe via the API? Or some window that shows a printout of the overrides?

5 Replies
PhoneBoy
Admin
Admin

These should be listed in the Threat Prevention policy.
To verify this, I took the "Optimized" profile and cloned it.
I set one of the signatures in this profile to "Inactive" and this is how it shows in my lab:

image.png

You should be able to modify the exceptions here: 

image.png

0 Kudos
Sean_Roth
Participant
Participant

Thank you for your time and reply PhoneBoy! It looks to me like you manually made a rule exception in your example, rather than applying a different action to a protection for the specific profile. I believe that the exception you show is "Global" across all profiles instead of being specific to a particular profile. When I configured a similar exception both at the "Global" level and single-rule level, the number of overrides shown on the Profiles tab did not increment. 

Rule exception:
local_rule_exception.png

Global exception:
manual_exceptions.png

Profiles tab - number of overrides is at 0 for my test profile with the exception rules:
exception_rules_results_in_no_override_shown.png

Could you confirm that I am understanding your example correctly? When you made the exceptions in your lab, did you see a change in the number of overrides as shown in the Profiles tab?

I found some other weirdness that I wasn't sure is normal too. When I make an override for a single protection for 1 profile like this, the overrides counter increments by 1 as expected.
override-test-profile-malicious-activity.png

However when I [ right-click ] > [ Restore Selected ] on the 1 profile override to remove the override, the Profiles tab still shows 1 override active.
does_restore_for_1_profile_even_work.png

If I instead right-click the protection and then click [ Restore Selected ] for every profile, then the overrides counter on the Profiles tab goes back down to 0. 
this_restore_does_work.png

And sadly on the Protections screen, if I do [ right-click ] > [ Restore Selected ] on "Malicious Activity", the overrides counter stays at 1 as well. The strategy from the above screenshot is the only way that I found to reduce the override counter back to 0. Although my goal is not to necessarily just restore defaults anyways - the real goal is to determine which overrides are currently active. If we disable/restore the overrides, we would want to know what we were restoring (or which traffic we might be affecting in the process).

0 Kudos
PhoneBoy
Admin
Admin

In my case, it did increment the number of exclusions and it looks like I set it, whether I set it globally or set the exception on the profile.
This was on R81.20.
Regardless, particular exceptions should be stored in the Threat Prevention profile.
I'm not finding a way to show exceptions applied to specific Anti-Bot signatures for specific Threat Profiles.

My first go-to is the API, but I can't figure out if there are any API endpoints that will show this precise information.
@Omer_Kleinstern are there any API endpoints that can assist here?

0 Kudos
Sean_Roth
Participant
Participant

Very interesting that we are seeing slightly different behaviors. I was really hoping for a way to review this using the API but I also couldn't find and relevant API endpoints. If @Omer_Kleinstern had some ideas that would be incredible! I also opened an SR now and I'm hoping to report back here if we learn anything new. It seems that the issue of having 8,035 "Malicious Activity" protections, but only being able to see 1000 of them, is on its way to R&D.

0 Kudos
PhoneBoy
Admin
Admin

There's no formal API endpoint for these exceptions.
However, it appears they can be retrieved through a generic object call:

mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.anti_malware.dummy.CpmiProtectionOverride details-level full

It's worth noting that Generic Object calls are not formally supported.
They are useful in situations like this where there is not yet a formal API endpoint.
Formal API endpoints should always be used where possible which are fully supported through the TAC.

As for the other issues you raised with only 1,000 entries showing when more than 8,000 exist: that's definitely a bug and will be addressed through your open SR. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events