Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
I've been wondering the same thing. The closest thing I could find is under Manage & Settings --> Blades --> Threat Prevention, it seems the decision to Block / Allow when file size is exceeded depends on whether you have the Fail Mode configured to fail-open or fail-closed?
I haven't found a similar looking setting anywhere else. But, it seems to me, you may want the behavior of these two things to be very different. I.E. allow large files but still fail-closed if there is an issue with Threat Prevention blades.
I'd love to hear if there's something I missed. But, I agree, this behavior seems different than how it was handled in R77.30.
So we need to be more specific here:
1) AV Signature check
This is a file hash check against our big Threat Cloud database. The hash is calculated "on the fly" on a file without the need to reassemble the packets. Afaik this AV scanning engine does not have any file size limit. Most AV catches come from this engine
2) AV deep scan and archive scan
This is where we need to reassemble packets into a file to do deep scan (heuristic scan with an AV engine) or archive scanning (because we need to unpack the files from the archive). This scan engine has the default file size limit of 150MB mentioned already (configurable via GUIDBEDIT)
3) Fail mode
all of the above AV engines and also AB & TE are handled by the Engine Fail-Mode setting shown above in case of errors:
There is also a way to set fail-mode on specific blades (AV,AB,TE) only if necessary.
Afaik all of the above also applies to R80.
Regards Thomas
