cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Miguel_Barrios
Miguel_Barrios inside SandBlast Network yesterday
views 604 3 2

Zer-Day Malicious File get Block but hash put on benign cache in TE

Hello CheckMates!I would like your opinion with the following behavior of Threat Emulation:One of our customer with local TE250X Appliance experienced a serious issue on a malware campaing where the first malicious file who arrived to the appliance (via MTA) was prevented by TE as it should. However, the following files with same hash were allowed (thus, received on mailboxes)!!!!I have understood if a file is detected as malicious should be put on malicious cache, so we had a big surprise when we found all this hash on benign cache instead of malicious. The same happened for more files who arrived that day:As you can see on photo, all files had one thing in common: Severity High and Confidence N/A. Optimized Profile is in use (Engine version at that time was 58.990000492)We tried debug with same files later on that day, but confidence level changed to HIGH and the files were putted on malicious cache correctly.So now we have the following concerns:Is expected behavior (put on benign cache) when the file's confidence can not be determined even if the severity already has a level (high in this case)???How Check Point determine the confidence level for security events?Currently we have a case opened with TAC but despite we already sent a lot of information, they could not explain this behavior yet. Has someone experienced the same? I will appreciate your comments
Employee

Deleting a single SNORT Protection

Team, I have a customer who has been using SNORT protections for a while and they recently updated some more SNORT protections but now they want to delete a single SNORT protection. Is this possible? Looking at the admin guide it seems like we can only delete all the snort protections at once. Please advise of any workarounds available!
Diego_Vigano
Diego_Vigano inside IPS, Anti-Virus, and Anti-Bot yesterday
views 303 11 1

Anti-Bot protection "Trojan.Win32.Password-Unencrypted.A"

Hi,yesterday, during automatic scheduled update, a protection named "Trojan.Win32.Password-Unencrypted.A" was installed blocking all http connection.As a workaround I change the protection from "prevent" to "detect".Now, I can't find the protection in my database nor in the wiki, what's happened? How can I know if hte protection was retired?kr,Diego

IPS ver2 signatures

Hello CheckMates, I often notice multiple versions of the same signature (same CVE), but marked with '- ver2' at the end of the name.Should this be considered an improved signature of the original (hence it's better to make the normal one Inactive and use the ver2 one) or should this be considered more like a different attack vector for the same vulnerability?It's a bit confusing since the old signatures don't get disabled or get something added in their description to clarify. Other times I see improved signatures marked explicitly with '- High confidence' or '- Improved confidence' at the end of the name.So I decided I might as well go and ask 🙂Kind regards,Nik Bloemers
chico
chico inside SandBlast Network yesterday
views 72 4

SMTP Emulation

Hello everybody,I'm new in the checkpoint devices and I have a question about the SandBlast for smtp.Recently checkpoint blocked an attachment to a customer document. It was a word (.doc) document and after looking the logs I can see that the document was bloqued to protection name "Exploited doc document"If I look the forensic details I can see that the vulnerable operating systems was for (as shown on the attachement file)-Win7-WinXPSo if I use a Windows 10 operating syseme, can I dowload the document serently ?Regards,
Fedor_Agafonov1
Fedor_Agafonov1 inside SandBlast Network yesterday
views 46 7

Threat Emulation Terminating VM due to error: failed to start tap interface

Hi,After update image on sandblast appliance T250 gaia R80.20, VM not start. Error: Terminating VM due to error: failed to start tap interfaceEmulator log:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '10b4a9c6-e414-425c-ae8b-fe4dd7b25244', Run: 1, Priority: normal (0 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '3ff3ddae-e7fd-4969-818c-d5f1a2be336d', Run: 1, Priority: normal (1 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '5e5de275-a103-4f67-b55b-47532918fa59', Run: 1, Priority: normal (2 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} Adding emulation request on Image: '5e5de275-a103-4f67-b55b-47532918fa59HPS', Run: 1, Priority: normal (3 requests in queue, 0 running emulation VMs)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 12 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 12 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 12 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '3ff3ddae-e7fd-4969-818c-d5f1a2be336d' (Win7 64b,Office 2010,Adobe 11) by: 1, reason: Failed to create VM for Win7 64b,Office 2010,Adobe 11[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 13 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 13 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 13 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59' (Win7,Office 2013,Adobe 11) by: 1, reason: Failed to create VM for Win7,Office 2013,Adobe 11[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59HPS' () by: 40, reason:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: creation. is_hps=1[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 14 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 14 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 14 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59HPS' () by: 1, reason: Failed to create VM for[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '5e5de275-a103-4f67-b55b-47532918fa59' (Win7,Office 2013,Adobe 11) by: 40, reason:[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} investigator 'emulator' reporting back (status: still working)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: creation. is_hps=0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMloader::CreateTapInterface: failed to set IP address '169.254.0.1' to interface 'vm-if0, netmask: 255.255.255.252)[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::VmResources::ConsumedRes::StartTap: failed to create tap vm-if0 169.254.0.1/255.255.255.252[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::EmulatingVM::TerminateWithError: VM 15 (Creation In Process): Terminating VM due to error: failed to start tap interface[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: Terminating (error occured? 1, detected events: 0 malicious, 0 benign)[18146 4076272128][21 May 1:40:24] [TE_TRACE]: VM 15 KeyPoint: destroying. max number of files: 0. life time: 0[18146 4076272128][21 May 1:40:24] [TE (TD::Surprise)] te::Emulation::VMrepository::CreateNewVM: VM 15 failed to start[18146 4076272128][21 May 1:40:24] [TE_TRACE]: {E5FDCED7-A838-5743-B9A0-59E0701233E1} verdict 'Error' set for image: '10b4a9c6-e414-425c-ae8b-fe4dd7b25244' (Win10 64b,Office 2016,Adobe DC) by: 1, reason: Failed to create VM for Win10 64b,Office 2016,Adobe DC Thanks.
Peter_Elmer
inside SandBlast Network Wednesday
views 136 1 2
Employee

Improved User Experience For Zero-Day Attack Prevention in R80.30

In R80.30 the user experience when downloading a file in a browser window while the gateway performs Zero-Day attack prevention has improved. You now see a status bar showing the download progress. This video shows the R80.30 gateways configuration and the user experience. Learn how to configure the gateway working in hold mode providing prevention for known and unknown attacks. LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-o0YTd1aDE6G7eCLYB_pOASJikL6y1hXZw1600h817r575', 'o0YTd1aDE6G7eCLYB_pOASJikL6y1hXZ', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"817px"});(view in My Videos)

High bandwidth consumed by blocked traffic in Smart Event Report

Hi Everyone,Smart Event report is showing blocked traffic consuming heavy bandwidth which is shown in the high bandwidth category. We are not able to comprehend why it is being shown on high bandwidth application category and does our internet traffic is affected by checkpoint blocking rules?Screenshot is attached herewith.

Is there SNI support for inbound HTTPS inspection in R80.20?

Hi,on gws R80.20 can I do HTTPS inspection on inbound connections that require SNI since on the server there are some virtual hosts with different certificates? If yes how? Thanks in advance
Employee+

IPS Protection available for critical Windows vulnerability (CVE-2019-0708)- Protect Yourself NOW

***IPS PROTECTION NOW AVAILABLE*** Check Point has released an IPS protection (Severity: Critical) for CVE-2019-0708 as an immediate response and it is added to our previous recommendations to patch vulnerable systems and disable RDP if not needed . See full details : https://www.checkpoint.com/defense/advisories/public/2019/cpai-2019-0657.html Previous recommendations
Tal_Eisner
inside IPS, Anti-Virus, and Anti-Bot Tuesday
views 2232 1 5
Employee+

Critical Vulnerability in Windows OS (CVE-2019-0708) - Announcement - ***UPDATED***

Critical Vulnerability in Windows OS - Code execution using Remote Desktop Protocol (CVE-2019-0708) ****IPS protection NOW AVAILABLE**** In BriefIn the last few days, Microsoft has released information about a critical vulnerability in the Windows operating system (CVE-2019-0708). This vulnerability allows remote code execution by an attacker directly from the network using the Remote Desktop Protocol (RDP) in remote desktop services that affects older versions of windows used by many users worldwide. This attack may effect many computers in every sector and industry including finance, healthcare, government, retail, industrial and others. Key Risks: An arbitrary attacker from the net can carry out a complete takeover of a private PC within public networks, such as Wi-Fi hotspots. Embedded devices such as ATMs or IoT Devices are most vulnerable for takeover. PCs within organization’s network are also vulnerable to a takeover using lateral movement within the network. Why Is This So Important?As this vulnerability is placed at the pre-authentication stage and does not require any user interaction it would allow any arbitrary attacker on the internet to execute malicious code on a victim’s private system and allow for a total takeover of a PC within any network, such as Wi-Fi hotspots, public networks and private and corporate networks. According to Microsoft in order to exploit this vulnerability, an attacker would have to send a specially tailored request to the target systems’ Remote Desktop Service via RDP. Given the nature of the vulnerability, once a host is infected there is great risk of lateral movement to infect other connected hosts on the same network.To clarify the potential exploitation of this vulnerability, it could be used in a very similar manner as that of the 2017 WannaCry attack that caused catastrophic disruption and sabotage to thousands of organizations across all industries worldwide. Who Is Affected?Those using certain versions of Microsoft Windows 7 and Windows Server 2008 are at risk from this vulnerability. Customers running Windows 8 and Windows 10 are not affected by this vulnerability due to these later versions incorporating more secure updates.Those most at risk, among others, are those working with embedded devices such as ATMs in the banking sector and IoT devices in the healthcare industry. This is due to older versions of Windows known to be the systems behind these operations as well as them being prized targets for cyber criminals. As a result, since this vulnerability was announced, security professionals in hospitals and banks have been working diligently to patch their systems. How to Protect Yourself We have released an IPS protection for CVE-2019-0708 as an immediate response - Click here Block the RDP protocol on Check Point gateway product and endpoint SandBlast agent. Instructions for Check Point R77.x and R80.x are detailed in the attached "how to guide" detailed in this post. If you are using RDP for mission critical systems – configure the Check Point gateway and endpoint product to accept connections only from trusted devices within your network. Instructions included in the attached "how to guide" detailed in this post.. Disable RDP on your Windows PC and servers (unless used internally) and deploy the Microsoft patch. Please note that your ability to identify vulnerable systems when used in IoT devices (corporate, finance, industrial and healthcare systems) is limited – therefore it is recommended to follow steps 1 & 2 even if patch is installed. Currently, while Check Point researchers are investigating this vulnerability and monitoring any relevant activity in the wild, we recommend all IT professionals to deploy Microsoft patches according to the MS Security Update Guide.See here a quick "how to" guide with detailed step-by-step instructions. Check Point Security Gateway and Check Point CloudGuard IaaS We need to decrease the risk by limiting and or blocking the Remote Desktop Protocol service (port 3389). The following steps are applicable or both Check Point Network Security Gateway and Check Point CloudGuard IaaS products. Open Smart Dashboard Define new rule, with Access Role on the source Define as specific as possible the source that will use RDP service, such as: Users (trusted users) Machines: Specific machines within a trusted network *Note: A combination of both is preferred. Define trusted Users to use Remote Desktop Protocol service: On the Security Policy, in the rule base, make sure 1 rule will allow Remote Desktop Protocol as specific as possible using the Access Rule group as seen in the above screenshots under TrustedUsers-Machines Check Point Endpoint Security Sandblast Agent In Endpoint security server, configure the entire organization policy for Firewall to limit remote desktop protocol (3389). Firewall policy rules to be configured to allow only specific Networks and Machines, and can be applied to specific Users Here are the the OS versions vulnerable according to Microsoft Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Omer_Shliva
inside IPS, Anti-Virus, and Anti-Bot Tuesday
views 1490 5 6
Employee+

An update regarding CVE-2019-0708, a Remote Code Execution vulnerability in Remote Desktop Services

As part of the Microsoft May release, MS has announced on a Remote Code Execution vulnerability in Remote Desktop Services, CVE-2019-0708. At this time, there are no indications of the vulnerability exploited in the wild or the existence of a public PoC. Check Point researchers are investigating this and monitoring any relevant activity in the wild. Check Point recommendation is to monitor affected systems and deploy MS fix according to MS Security Update Guide. Customers who do not need a Remote Desktop Protocol can block the protocol on the Gateway and EndPoint Firewalls.

CVE-2019-0708

Do we have any IPS signature for the CVE-2019-0708?What's the best recommendation in this case for our customers? Regards

DNS Malware trap - DNS servers

Hello CheckMates,Can anyone explain to me what adding the internal DNS servers to the DNS trap configuration actually does?The only thing I can find in the documentation is 'to better help identify the origin of malicious requests', but it's not like we can see the client IP that the DNS request originates from.I've built a test setup in VM's to compare the difference of the logs with and without the DNS server defined, and I see no difference in the log cards. This is with both the client to DNS server and DNS server to public DNS requests going through the gateway.I hope someone knows more about this.
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Network Monday
views 31 1

I cannot enable Threat emulation blade on TE appliance

Policy installation error.TE appliance is installed on as a gateway. I cannot enable Threat emulation blade on TE appliance. I added TE to Management server.