Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harm_United
Participant

Virus mails slipping trough the firewall

hi all,

as this is my first post on here please forgive me if i'm not fully confirming to board standards 😉 let me know and i will adjust 🙂

the thing i have noticed is that our firewall quite often allows for virus infected emails to pass trough the firewall altough our antivirus blade and antispam blades are turned on. i have been looking at the configuration and as far as i could see this should just work.

Please let me start with explaining how the email flow is setup at our end,

the email is first delivered to our Spam Filter in our DMZ this is the first time the traffic passes the firewall with protocol inspection then the spam filter does it's magic on the mail and then passes the email to our exchange server in a second DMZ so passing the firewall a second time. and again doing protocol inspection.

the other day i had an Endpoint Security allert again from our ESET virus scanner on a client system telling me that it had found and deleted a Virus from the system: trojan;VBA/TrojanDownloader.Agent.DZ

i'm starting to doubt that the protocol inspection and AntiVirus - AntiSpam blades do not function the correct way. as i have been searching for the issue for a bout 6 months now also together with support i thought lets ask the experts on the Checkmates Forum.

what can i do / test / check to make sure the firewall pick out these emails containing this kind of nasty attachments ?

 

9 Replies
Vladimir
Champion
Champion

@Harm_United , few questions to get a better idea of what is going on here:

1. Are you using default (Kaspersky) AV engine on Check Point, or have you disabled it and are using alternate engine?

2. What is the depth of the archive scanning that you have configured in AV blade and do you have it enabled?

3. Are you using S/MIME signed email?

4. Do you have Mail AV configured to scan all files or "known to contain"?

5. You have mentioned the ESET discovering the virus on the endpoint, but was it discovered in the email?

6. Do you have an AV on your Exchange box? If yes, was the same virus discovered on it as well?

Harm_United
Participant

@Vladimir 

1. Are you using default (Kaspersky) AV engine on Check Point, or have you disabled it and are using alternate engine?

where using the default kaspersky engine

2. What is the depth of the archive scanning that you have configured in AV blade and do you have it enabled?

The nesting level is set to 7 at the moment. and if nesting exceeds the set level its set to block the file.

3. Are you using S/MIME signed email?

No, the emails are standard emails. and the emails recieved with virusses are standerd emails as well

4. Do you have Mail AV configured to scan all files or "known to contain"?

At the moment its set to all files.

5. You have mentioned the ESET discovering the virus on the endpoint, but was it discovered in the email?

Eset Triggerd on the virus in Outlook.exe

6. Do you have an AV on your Exchange box? If yes, was the same virus discovered on it as well?

Nope there is no AV on the exchange system. there is on the baracuda

0 Kudos
Vladimir
Champion
Champion

Hmm... DO you have your gateway configured as MTA with the cert of your anti-spam appliance?

It almost seems as if you are passing encrypted mail through the Check Point without actually scanning it.

Take a look here:

https://community.checkpoint.com/t5/IPS-Anti-Virus-and-Anti-Bot/Email-MTA-setup/td-p/15007

and here:

https://community.checkpoint.com/t5/SandBlast-Network/R80-20-R80-10-MTA-now-includes-AV-blade-featur...

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Try running the same flow with Threat Emulation blade enabled.

It should catch the file.

Thanks

Tal

Harm_United
Participant

the thread emulation is turned on 😉
0 Kudos
Harm_United
Participant

Hi,

 

at the moment the Firewall is not set to be the MTA. and the Appliance is only passing the emails ons standard SMTP towards the Exchange host to have no issues with certificates 😉

0 Kudos
Harm_United
Participant

The Thread Emulation blade is enabled and running 🙂
0 Kudos
Cyber_Serge
Collaborator

When we setup Check Point gateway as MTA agent it improve the scan result for us. Using Threat Emulation blade will also help, and it will detect email with malicious link in them
0 Kudos
TP_Master
Employee
Employee

I agree.

Your described environment is classic for MTA deployment. It will catch e-mails traversing through the GW using TLS, and will improve the prevention rate.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events