- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi, I have a HA cluster of two security gateways running R81.10 Jumbo Hotfix Take 95, and I'm experimenting with the MTA feature.
The MTA is configured and seems to be working properly (if forwards the incoming emails to our internal email server), but I can't get the Antivirus on the gateway to scan and eventually filter incoming mails.
I tested by sending emails having in the body the EICAR string, and also with emails having attached the EICAR as a txt file.
In every case the emails are passing trought the gateway without being marked accordingly to the policy defined on the gateways.
Please, can somebody give me some inputs in order to get the incoming emails processed by the antivirus engine?
Many thanks!
Please see my settings:
Active blades:
Logs from:
/var/log/maillog
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: 4RG4gR0MTHz57qTX: client=localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR0MTHz57qTX: message-id=<20230802112106.035442@host.dom1.tld>
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: from=<sender@dom1.tld>, size=1165, nrcpt=1 (queue active)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: connect from localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: Host offered STARTTLS: [127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: 4RG4gR1hPwz4x5Tm: client=localhost[127.0.0.1], orig_queue_id=4RG4gR0MTHz57qTX, orig_client=localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR1hPwz4x5Tm: message-id=<20230802112106.035442@host.dom1.tld>
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: from=<sender@dom1.tld>, size=1386, nrcpt=1 (queue active)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: 4RG4gR0MTHz57qTX: to=<recipient@dom2.tld>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.22, delays=0.17/0.01/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4RG4gR1hPwz4x5Tm)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: removed
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32006]: 4RG4gR1hPwz4x5Tm: to=<recipient@dom2.tld>, relay=10.168.0.16[10.168.0.16]:2527, delay=0.19, delays=0.03/0.02/0.03/0.11, dsn=2.6.0, status=sent (250 2.6.0 <20230802112106.035442@host.dom1.tld> [InternalId=19554986098820, Hostname=internalMTA] 2231 bytes in 0.105, 20.575 KB/sec Queued mail for delivery)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: removed
$FWDIR/log/mtad.elg
2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] emaild_new_connection(): [fw_conn_id=58, emaild_context_id=548366279] New connection.
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre(): sender='sender@dom1.tld'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre() - :recipient='recipient@dom2.tld'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre(): Message-ID=' <20230802112106.035442@host.dom1.tld>'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] parseEmlFile() - 4RG4gR0MTHz57qTX :[emailContextId=1288246662] MIME Parsing result: 0(Success)
[2 Aug 11:21:07] [EMAIL_AP (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AP policy off
[2 Aug 11:21:07] [EMAIL_AV (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AV policy off
[2 Aug 11:21:07] [EMAIL_TE (NOTICE)] handle() - 4RG4gR0MTHz57qTX :TE policy off
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] editContent() - 4RG4gR0MTHz57qTX :[mta_policy_context_id=1288246662] End connection.
I checked the ThreatPrevention rule generated when I enabled the MTA, and the AV was set to Process file types know to contain malware.
Now i changed it to Process specific file type families, where the txt file is set to Inspect. But I do not see any detection logs from the AV.
Tue 16 Sep 2025 @ 02:00 PM (EDT)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - AmericasWed 17 Sep 2025 @ 04:00 PM (AEST)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - APACWed 17 Sep 2025 @ 03:00 PM (CEST)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - EMEAThu 18 Sep 2025 @ 03:00 PM (CEST)
Bridge the Unmanaged Device Gap with Enterprise Browser - EMEAThu 18 Sep 2025 @ 02:00 PM (EDT)
Bridge the Unmanaged Device Gap with Enterprise Browser - AmericasTue 16 Sep 2025 @ 02:00 PM (EDT)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - AmericasWed 17 Sep 2025 @ 04:00 PM (AEST)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - APACWed 17 Sep 2025 @ 03:00 PM (CEST)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - EMEAThu 18 Sep 2025 @ 03:00 PM (CEST)
Bridge the Unmanaged Device Gap with Enterprise Browser - EMEAThu 18 Sep 2025 @ 02:00 PM (EDT)
Bridge the Unmanaged Device Gap with Enterprise Browser - Americas