This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernhard
Participant
‎2022-02-23 09:17 AM

Whitelist exe files within blocked file type

Hi,

i have a strange behaviour with whitelisting of some exe files in AV.

Anti Virus is configured to block every exe file

blockfiletype.png

Now i want to exclude some exe files for donwloading. For example:

I tried these without luck:

  • I calculated MD5 of each file and added it to Whitelist Files under Threat Tools and added them in a rule in Global Exceptios
  • I clicked add exception ... in the log window of the blocked file. This creates an exception rule


But both versions didn´t work, the files are still blocked with "Forbidden Filetype" in Anti-Virus.

Any ideas?
Is whitelisting within blocked file type working at all?
I couldn´t find any further information about this behaviour ....

BR,
Bernhard

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2022-02-24 06:26 AM

I'm not 100% on this, but based on how passive streaming works the file header (magic number) will be encountered first.  If you are set to block EXE files that match (and block) will occur before the entire file has been seen and a MD5 calculated for possible matching against your whitelist.  Assuming this is the case, I can think of a couple of possible workarounds:

1) Enable Deep Scanning for the exe file type only, but be warned that this may dramatically increase CPU load on the firewall depending on how much traffic you are inspecting with Anti-Virus.  Deep Scanning will force the entire file to be streamed, reconstructed and then scanned.  This may avoid the file being dropped early before the whitelist MD5 can be matched, but I don't think you will be able to block all other exe's.

2)  Try creating a custom indicator MD5 signature for the file, although I'm not sure if these are matched before the file header check.  See the "Indicators" section of sk92264: ATRG: Anti-Bot and Anti-Virus

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Bernhard
Participant
‎2022-02-28 12:13 AM
In response to Timothy_Hall

Hi Timothy,

i think you are right!

By now, i haven´t found a way to whitelist blocked exe files 😞

No output from opened TAC case ...

Custom indicator didn´t work. Maybe because your assumption "2", that blocking according magic header happens before MD5 hash check, is the reason.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events