This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vinicius_Olivei
Participant
‎2018-06-08 11:49 AM

Maximum file size to scan and action taken in R80.10

Hi guys,

in R77.30 we had the option to configure the maximum file size to be scanned and what action to be taken if file size exceeded by Threat Prevention Blade. Now in R80.10 I know we can still set the file size using DBEdit (sk93616). But what about the action to be taken if the file size exceeds? Is it still possible to set in R80.10?
Regards,
Vinicius Oliveira

Preview file
33 KB
3 Replies
Daniel_Taney
Advisor
‎2018-06-08 01:09 PM

I've been wondering the same thing. The closest thing I could find is under Manage & Settings --> Blades --> Threat Prevention, it seems the decision to Block / Allow when file size is exceeded depends on whether you have the Fail Mode configured to fail-open or fail-closed?

I haven't found a similar looking setting anywhere else. But, it seems to me, you may want the behavior of these two things to be very different. I.E. allow large files but still fail-closed if there is an issue with Threat Prevention blades.

I'd love to hear if there's something I missed. But, I agree, this behavior seems different than how it was handled in R77.30.

R80 CCSA / CCSE
Vinicius_Olivei
Participant
‎2018-06-08 01:34 PM
In response to Daniel_Taney

Hey Daniel,

I wonder if when a file size is exceeded in AV blade (Not emulation), it generates an internal system error (Or just a log entry??) and then the Fail Mode is applied.

Thank you for your contribution.

Best regards,

Vinicius Oliveira

Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-06-18 09:05 AM
In response to Vinicius_Olivei

So we need to be more specific here:

1) AV Signature check

This is a file hash check against our big Threat Cloud database. The hash is calculated "on the fly" on a file without the need to reassemble the packets. Afaik this AV scanning engine does not have any file size limit. Most AV catches come from this engine

2) AV deep scan and archive scan

This is where we need to reassemble packets into a file to do deep scan (heuristic scan with an AV engine) or archive scanning (because we need to unpack the files from the archive). This scan engine has the default file size limit of 150MB mentioned already (configurable via GUIDBEDIT)

3) Fail mode

all of the above AV engines and also AB & TE are handled by the Engine Fail-Mode setting shown above in case of errors:

There is also a way to set fail-mode on specific blades (AV,AB,TE) only if necessary.

Afaik all of the above also applies to R80.

Regards Thomas

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events