Re: MTA Antivirus

Amodi · ‎2023-08-02

Hi, I have a HA cluster of two security gateways running R81.10 Jumbo Hotfix Take 95, and I'm experimenting with the MTA feature.

The MTA is configured and seems to be working properly (if forwards the incoming emails to our internal email server), but I can't get the Antivirus on the gateway to scan and eventually filter incoming mails.

I tested by sending emails having in the body the EICAR string, and also with emails having attached the EICAR as a txt file.

In every case the emails are passing trought the gateway without being marked accordingly to the policy defined on the gateways.

Please, can somebody give me some inputs in order to get the incoming emails processed by the antivirus engine?

Many thanks!

Oliver_Fink · ‎2023-08-02

What do you see in the logs?

Is the AV Blade activated for the cluster and Threat Prevention policy installed?

Do you have a subscription for AV?

What does the AV configuration look like?

Amodi · ‎2023-08-02

Please see my settings:

Ati-bot and Antivirus settings Ati-bot and Antivirus settings

Active blades:

Active blades Active blades

Logs from:

/var/log/maillog

Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: 4RG4gR0MTHz57qTX: client=localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR0MTHz57qTX: message-id=<20230802112106.035442@host.dom1.tld>
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: from=<sender@dom1.tld>, size=1165, nrcpt=1 (queue active)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: connect from localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: Host offered STARTTLS: [127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: 4RG4gR1hPwz4x5Tm: client=localhost[127.0.0.1], orig_queue_id=4RG4gR0MTHz57qTX, orig_client=localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR1hPwz4x5Tm: message-id=<20230802112106.035442@host.dom1.tld>
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: from=<sender@dom1.tld>, size=1386, nrcpt=1 (queue active)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: 4RG4gR0MTHz57qTX: to=<recipient@dom2.tld>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.22, delays=0.17/0.01/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4RG4gR1hPwz4x5Tm)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: removed
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32006]: 4RG4gR1hPwz4x5Tm: to=<recipient@dom2.tld>, relay=10.168.0.16[10.168.0.16]:2527, delay=0.19, delays=0.03/0.02/0.03/0.11, dsn=2.6.0, status=sent (250 2.6.0 <20230802112106.035442@host.dom1.tld> [InternalId=19554986098820, Hostname=internalMTA] 2231 bytes in 0.105, 20.575 KB/sec Queued mail for delivery)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: removed

$FWDIR/log/mtad.elg

2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] emaild_new_connection(): [fw_conn_id=58, emaild_context_id=548366279] New connection.
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre(): sender='sender@dom1.tld'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre() - :recipient='recipient@dom2.tld'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre(): Message-ID=' <20230802112106.035442@host.dom1.tld>'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] parseEmlFile() - 4RG4gR0MTHz57qTX :[emailContextId=1288246662] MIME Parsing result: 0(Success)
[2 Aug 11:21:07] [EMAIL_AP (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AP policy off
[2 Aug 11:21:07] [EMAIL_AV (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AV policy off
[2 Aug 11:21:07] [EMAIL_TE (NOTICE)] handle() - 4RG4gR0MTHz57qTX :TE policy off
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] editContent() - 4RG4gR0MTHz57qTX :[mta_policy_context_id=1288246662] End connection.

Amodi · ‎2023-08-02

I do not understand what is going on.

My replies are dissapearing aftre I post them (this is the 4th times).

Basicly the IPS, Anti-bot and Anti-virus blades are active, and the Threat Emulation and Threat Extraction are inactive.

Yes the subscription is active.

I will try to post the logs in a new reply

Amodi · ‎2023-08-02

mtad.elg

[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] emaild_new_connection(): [fw_conn_id=58, emaild_context_id=548366279] New connection.
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] pre(): sender='sender@dom1.tld'
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] pre() -  :recipient='recipient@dom2.tld'
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] pre(): Message-ID=' <20230802112106.035442@host.dom1.tld>'
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] parseEmlFile() - 4RG4gR0MTHz57qTX :[emailContextId=1288246662] MIME Parsing result: 0(Success)
[2 Aug 11:21:07]  [EMAIL_AP (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AP policy off
[2 Aug 11:21:07]  [EMAIL_AV (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AV policy off
[2 Aug 11:21:07]  [EMAIL_TE (NOTICE)] handle() - 4RG4gR0MTHz57qTX :TE policy off
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] editContent() - 4RG4gR0MTHz57qTX :[mta_policy_context_id=1288246662] End connection.

maillog

Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: 4RG4gR0MTHz57qTX: client=localhost[127.0.0.1]
Aug  2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR0MTHz57qTX: message-id=<20230802112106.035442@host.dom1.tld>
Aug  2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: from=<sender@dom1.tld>, size=1165, nrcpt=1 (queue active)
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: connect from localhost[127.0.0.1]
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: Host offered STARTTLS: [127.0.0.1]
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: 4RG4gR1hPwz4x5Tm: client=localhost[127.0.0.1], orig_queue_id=4RG4gR0MTHz57qTX, orig_client=localhost[127.0.0.1]
Aug  2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR1hPwz4x5Tm: message-id=<20230802112106.035442@host.dom1.tld>
Aug  2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: from=<sender@dom1.tld>, size=1386, nrcpt=1 (queue active)
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: 4RG4gR0MTHz57qTX: to=<recipient@dom2.tld>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.22, delays=0.17/0.01/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4RG4gR1hPwz4x5Tm)
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug  2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: removed
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtp[32006]: 4RG4gR1hPwz4x5Tm: to=<recipient@dom2.tld>, relay=10.168.0.16[10.168.0.16]:2527, delay=0.19, delays=0.03/0.02/0.03/0.11, dsn=2.6.0, status=sent (250 2.6.0 <20230802112106.035442@host.dom1.tld> [InternalId=19554986098820, Hostname=internalMTA] 2231 bytes in 0.105, 20.575 KB/sec Queued mail for delivery)
Aug  2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: removed

Chris_Atkinson · ‎2023-08-02

Are other blades such as Threat Emulation active here?

Is the mail communication TLS encrypted and MTA configured with this in mind?

CCSM R77/R80/ELITE

Amodi · ‎2023-08-02

Threat Emulation and Threat extraction blades are inactive.

Also the communication is TLS encrypted, and the MTA has the certificate and private key installed

Chris_Atkinson · ‎2023-08-02

So you don't see any Prevent/Detect logs for mail passing the MTA only Accept entries?

CCSM R77/R80/ELITE

Amodi · ‎2023-08-02

No, just normal Delivered entries.

Also please see my settings and logs in the previous posts.

Chris_Atkinson · ‎2023-08-02

Sorry in case I was unclear I was referring to the logs as seen in SmartConsole log view.

CCSM R77/R80/ELITE

Amodi · ‎2023-08-02

No there are no Detect or Prevent logs in SmartDashboard.

But as I mentioned, I do not have Threat Extraction or Threat Prevention blades activated (nor licensed).

Chris_Atkinson · ‎2023-08-02

Anti-virus should generate similar detect/prevent logs not just the other blades.

In your anti-virus blade configuration, have you reviewed the "file types" configuration - how is it currently set anything specific for txt files?

CCSM R77/R80/ELITE

Amodi · ‎2023-08-02

I checked the ThreatPrevention rule generated when I enabled the MTA, and the AV was set to Process file types know to contain malware.

Now i changed it to Process specific file type families, where the txt file is set to Inspect. But I do not see any detection logs from the AV.

Chris_Atkinson · ‎2023-08-02

For your information: sk142552: How to get a list of file types analysed by Anti-Virus when selecting "Process file types ...

Suggest contact TAC to continue reviewing your scenario at this point.

CCSM R77/R80/ELITE

Amodi · ‎2023-08-02

Many thanks, I will contact TAC.

RS_Daniel · ‎2023-08-02

Hi,

Once a TAC engineer told that we need TE, TX or AntiSpam enabled to work with MTA, i am not sure about it, but you can try to enabled one of those blades and check. The reason TAC gave me is admin guide say "The MTA works with these blades: Threat Emulation, Threat Extraction, and Anti-Spam and Mail Security."

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/...

Regards

Amodi · ‎2023-08-02

Anti-Spam and Mail Security is enabled, the TE and TX are not, as I do not have license for those.

Will try to contact TAC, and see what they suggest.

Thank you!

Are you a member of CheckMates?

MTA Antivirus