This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RS_Daniel
Advisor
‎2023-02-14 08:30 AM

When are URL's/domains categorized by Anti-Virus?

Hi CheckMates,

I have a doubt about AntiVirus blade, hope someone can clarify this.

I need to know when a URL/domain is categorized by AntiVirus blade. According to "ATRG: Anti-Bot and Anti-Virus":

Accessed URLs are checked by the gateway's caching mechanisms or sent to the ThreatCloud repository to determine if they are permissible or not.

I understand that all accessed URL's are checked against ThreatCloud repository (checking first local cache). But if that is true, if i have categorization mode to hold, every page should be blocked first time is accesed while categorization is done, and a log with action "detect" should be generated. That would be a problem with legitimate web sites like checkpoint.com or apple.com.

However, i tested that scenario, and legitimate pages are never blocked, and no AntiVirus logs are generated. I only get blocked when visiting a suspicious or malicious site/domain. So it seems that only sites/domains suspected to be malicious are categorized by AntiVirus? how is it determined if categorization is done or not by AntiVirus blade?

 

Checked the same behavior on R81 Jumbo 69 and R81.10 Jumbo 79

 

Regards

0 Kudos
4 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-02-14 12:54 PM

For context how is DNS resource classification set in your environment currently?

Also topology wise where is the queried DNS server positioned relative to the end user and gateway?

sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, for Anti-Virus and Anti-Bot

sk89340: Traffic latency might be caused by Anti-Bot / Anti-Virus resource categorization mode set to 'Hold'

CCSM R77/R80/ELITE
0 Kudos
RS_Daniel
Advisor
‎2023-02-15 04:57 AM
In response to Chris_Atkinson

Hello Chris and PhoneBoy,

 

DNS resource classification was by default:

 

[resource_classification_mode]
dns=bg
http=policy
smb=policy
smtp=policy
ftp=policy

 

Phoneboy does that mean that every new URL/domain will be categorized? including well known sites? in this case, a log should be generated? either it is on hold or bg?

 

Regards

Regards

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-15 10:47 AM
In response to RS_Daniel

Yes, assuming the DNS query goes through the Security Gateway.
I don’t believe a log is generated in background mode unless the site is malicious, though.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-14 02:09 PM

If the gateway sees the client's DNS lookup first, then that is used for classification.
Otherwise, it will categorize on the first page load.
This lookup usually happens fairly quick and you may not even notice it.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events