This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ld3d
Participant
‎2023-01-26 03:13 AM

Threat Emulation always emulate same files

Hello CheckMates,

My colleagues are usnig a webiste which deals with researching subjects. Every day, colleagues have to download a couple of documents in pdf format from that website. Nothing special: pdf-s are approximately up to 5 MB in size and contain various PowerPoint presentations.

However, the problem is the following:

Each time, the same document is subject to emulation - even though it was previously emulated. So, every time a new MD5 / SHA1 is created for the pdf, which causes colleagues to wait unnecessarily. (for every document from that web site)

With other web-sites, this is not the case. ThreatEmulation works correctly, and when a document is downloaded, it remains in the cache and the same MD5 remains written for it (for a certain time as configured).

Do you have experience with this problem?

Please note that we do not have any other options set for this specific website, and no exceptions. They are subject to the inspection and profile we use for other websites.

Thanks in advance!

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-01-26 03:44 AM

I would contact TAC to address this issue !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-01-26 03:55 AM

If the MD5 / SHA changes this implies it's a different file (edited) or printed / rendered on-demand.

Have you compared similar files downloaded externally? (Does it always have the same file hash when TE is not in play).

Is the site trusted to the point where an exception would be a valid approach or no?

CCSM R77/R80/ELITE
0 Kudos
ld3d
Participant
‎2023-01-26 04:59 AM
In response to Chris_Atkinson

Hello Chris,

Colleagues on that website have a certain amount of pdf documents that they download. The documents are always the same, updated namely on, perhaps, a monthly level, however, each time same documents are emulated anew. They simply click on the link and wait for the preview - and it takes 5 or more minutes, because the emulation is on. They don't do a print preview or anything else, they just click on the download of a specific document.

Confusion comes from this because it is always happening for that particular website. For other websites when doing pdf, download, MD5 remains the same and in the cash for a certain time.

I asked my colleagues for an external download - I'm waiting for an answer.

Thank you !

0 Kudos
ld3d
Participant
‎2023-01-31 02:50 AM
In response to Chris_Atkinson

Hello Chris,

 

For your reference, we have tried the download externally. It works without wait times....

 

Any suggestions?

 

Thanks!

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-01-31 03:14 AM
In response to ld3d

This is not what I asked, each time the file is downloaded does it have the same MD5 / Hash or no?

If the hash is always the same it is most valid to pursue investigation further with TAC otherwise you may need to implement exceptions.

CCSM R77/R80/ELITE
0 Kudos
ld3d
Participant
‎2023-01-31 03:21 AM
In response to Chris_Atkinson

Hi Chris,

Sorry I've forgot to mention that - Every time we are getting the new MD5/SHA1 hash....

Although it is always the same file (which is also visible from the link of that file). Every time we refresh the browser, TE is activated and makes a new emulation for the same file.

Thanks.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-31 11:37 AM
In response to ld3d

If the hash of the file is different every time, we will emulate the file each time it is downloaded.
That is expected behavior as we do not see the files as identical.

0 Kudos
the_rock
Legend
Legend
‎2023-01-31 02:04 PM
In response to ld3d

I also tend to agree with Chris and phoneboy here. IF there is different md5/hash, then TE blade will see that as a new file and emulate it separately.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events