This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mikael_Trosell
Participant
‎2023-09-27 05:46 AM
Jump to solution

Error message in /var/log/messages after upgrade to R81.20

I upgraded a TE1000X box from R81.10 to R81.20 It seems to work fine except for one problem.

In /var/log/messages there is a large amount of log messages of this type.

Sep 27 14:30:15 2023 FW-TE101 kernel:error: PMC:8778 CPU_ID: 19 arch/x86/kvm/pmc.c, pmc_begin_audit_debug_store - Can't read the guest_ds_area 0x95400300 of cr3 0x1f1e33c0, exception = 5
Sep 27 14:30:15 2023 FW-TE101 kernel:error: PMC:8778 CPU_ID: 19 arch/x86/kvm/pmc.c, pmc_begin_audit_debug_store - Can't read the guest_ds_area 0x95400300 of cr3 0x1f1e33c0, exception = 5
Sep 27 14:30:15 2023 FW-TE101 kernel:error: PMC:8778 CPU_ID: 3 arch/x86/kvm/pmc.c, pmc_begin_audit_debug_store - Can't read the guest_ds_area 0x95400300 of cr3 0x1f1e33c0, exception = 5
Sep 27 14:30:15 2023 FW-TE101 kernel:error: PMC:8778 CPU_ID: 3 arch/x86/kvm/pmc.c, pmc_begin_audit_debug_store - Can't read the guest_ds_area 0x95400300 of cr3 0x1f1e33c0, exception = 5
Sep 27 14:30:15 2023 FW-TE101 kernel:error: PMC:8778 CPU_ID: 3 arch/x86/kvm/pmc.c, pmc_begin_audit_debug_store - Can't read the guest_ds_area 0x95400300 of cr3 0x1f1e33c0, exception = 5
Sep 27 14:30:15 2023 FW-TE101 kernel:error: PMC:8778 CPU_ID: 3 arch/x86/kvm/pmc.c, pmc_begin_audit_debug_store - Can't read the guest_ds_area 0x95400300 of cr3 0x1f1e33c0, exception = 5
Sep 27 14:30:15 2023 FW-TE101 kernel:error: PMC:8778 CPU_ID: 3 arch/x86/kvm/pmc.c, pmc_begin_audit_debug_store - Can't read the guest_ds_area 0x95400300 of cr3 0x1f1e33c0, exception = 5

I had problems with the disk space on /var/ log when the message file was 120 Gbytes...

Has anyone encountered a similar problem? I haven't found anything similar when I searched around

Regards

Mikael Trosell

0 Kudos
1 Solution

Accepted Solutions
Lesley
Leader Leader
Leader
2 weeks ago
In response to Thomas_Eichelbu
Jump to solution

As far as I know if you put this value to zero you will disable CPU level emulation leaving only traditional emulation. 

With CPU level detection you have less of chance that an attacker knows it is operating in a sandbox setup.

So unless in R81.20 something has changed this is no longer relevant I would not disable it. 

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

0 Kudos
12 Replies
Tal_Paz-Fridman
Employee
Employee
‎2023-09-28 11:09 AM
Jump to solution

Hi - have you opened a ticket with TAC? 

I found 2 similar issues and it seems the message are harmless. I suggest opening a ticket so that your case is also investigated. You can point them to this post if needed so that they can refer to the other cases.

0 Kudos
Mikael_Trosell
Participant
‎2023-09-29 02:23 AM
In response to Tal_Paz-Fridman
Jump to solution

Hi,  I'll open a case and see what the result is. I have to increase "log rotation" so that the disk does not get filled in the meantime.

 

0 Kudos
SuedL_Sec
Explorer
‎2024-05-22 09:01 AM
In response to Mikael_Trosell
Jump to solution

Hi Mikael, what was the result of the support case? 

Regards, Viktor

0 Kudos
Mikael_Trosell
Participant
‎2024-05-22 11:16 PM
In response to SuedL_Sec
Jump to solution

Support wanted more information than I was allowed to send. It works as it should. So I just rotate the syslog file every hour.

0 Kudos
SuedL_Sec
Explorer
‎2024-05-22 09:05 AM
In response to Mikael_Trosell
Jump to solution

Hi Mikael, what was the result of the support case?

Regards, Viktor

0 Kudos
Lesley
Leader Leader
Leader
‎2024-05-22 11:57 AM
In response to SuedL_Sec
Jump to solution

Hi Viktor,

This is the related SK article:

https://support.checkpoint.com/results/sk/sk181544

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Thomas_Eichelbu
Advisor
Advisor
2 weeks ago
In response to Lesley
Jump to solution

Hello, 

yes we have also found this ... 
also i found this SK 181544.

it suggests to "disable the CPU Level Detection"

To disable the high volume of logs in /var/log/messages, disable CPU level detection:
[Expert@FW]# tecli ad at set enable_cpu_level_detection 0

but hey, isnt the CPU Level Detection the reason why customers still use a Sandblast appliance?
what will "tecli ad at set enable_cpu_level_detection 0" do? 
will it disable useful features?

what results did you  get from your TAC cases?

0 Kudos
Mikael_Trosell
Participant
2 weeks ago
In response to Thomas_Eichelbu
Jump to solution

Thanks for the information
The TAC wanted information that I was not allowed to give out.
So I rotated the messages file on an hourly basis.
(and also send the log to a syslog server)

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
2 weeks ago
In response to Mikael_Trosell
Jump to solution

Hello, 

we stumbled over it because we analyzed delayed emails ... so i found this messages ... 

i have also opened a TAC case ... 
well i will not accept an answer like this. customers are buying this stuff to secure their environment and have a high degree of  trust in Check Point.
not answering easy questions like this here does nothing to maintain trust! its the opposite.

+ difference between R81.20 and R81.10? why does it pop up in R81.20?
+ what is this message all about?
+ why does CPU Level Detection triggers it?
+ high CPU is triggered, by writting those amount of logs or something else?
+ when i turn CPU Level Detection off, can i still detect malware to the same degree?
+ if the SK says we must turn it off, why is it enbaled in first place?
+ Check Point should update their SK about what is the background here, so that people get informed and so on ...


0 Kudos
(1)
Lesley
Leader Leader
Leader
2 weeks ago
In response to Thomas_Eichelbu
Jump to solution

As far as I know if you put this value to zero you will disable CPU level emulation leaving only traditional emulation. 

With CPU level detection you have less of chance that an attacker knows it is operating in a sandbox setup.

So unless in R81.20 something has changed this is no longer relevant I would not disable it. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Thomas_Eichelbu
Advisor
Advisor
2 weeks ago
In response to Lesley
Jump to solution

Hello 

i´v asked our local CP office to double check the statements of TAC.
they say, CPU Level Detection is not that relevant any longer as it was in the past.
CPU Level Detection was/is most beneficial to detect malware with ROP - attacks methods ... 
https://en.wikipedia.org/wiki/Return-oriented_programming

iam asking myself, what is Check Point using in their Cloud to do Threat Emulation? 
do thy use their own Sandblast appliances as well? 
do they run into the same issue as our customer? 
do they turn off CPU Level Detection on their appliance as well?

so iam still not sure what do to.

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Thomas_Eichelbu
Jump to solution

It should not impact the security level to disable CPU Level Detection.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events