AnsweredAssumed Answered

SMTP encrypted session bypassed, yet attachments are emulated

Question asked by Santiago Platero on Oct 11, 2018

Hi community long time no see (dunno why these days can't login to CheckMates), I'm seeing some strange things in the Firewall and Threat Emulation logs, but first some context:

 

- R80.20 GA Management

- R80.10 Security Gateway, with Threat Emulation blade enabled (emulation occurs in the Check Point Cloud), MTA enabled and imported the SSL certificate of our local antispam to inspect TLS SMTP connections

 

The incoming email flow for our organization is like this:

- The MX entries for our mail domain has as its highest priority some servers provided by TrendMicro (the service it's called TrendMicro Cloud Pre-Filter), which basically work as a cloud antispam and receive the mails on a TLS session

- Then the cloud MTA forwards the email to our local antispam (also a TrendMicro VM appliance deployed on our DMZ) on a TLS session, which also analyze the incoming mail and then forward it to the Security Gateway (also on a TLS session, and if I'm not wrong it uses the SSL certificate I imported to the Security Gateway)

- The Security Gateway do its thing and forward the mail to the MS Exchange, and the mail arrives then to the client

 

The strange thing is I have a lot (A LOT) of SMTP traffic bypassed logs (encrypted session) in the Security Gateway, but also I have logs of the attachment of these TLS connection are been emulated, so it appears the Security Gateway can't decrypt the TLS connection, but in the same time it's capable to strip the attachment to upload for emulation?!

 

The header of some test mail I sent shows the connection between our antispam and the Security Gateway is in fact TLS and then I have a bypass log for the same email session:

 

X-MTA-CheckPoint: {5BBF4235-0-A00A8C0-129C07B6}
Received: from myantispam (unknown [10.10.0.4]) by Security Gateway
(Postfix) with ESMTPS id ACFF41B0FA6 for <splatero@domain.com.ar>; Thu, 11 Oct 2018 09:29:41 -0300 (ART)

 

The SMTP bypass log:

 

Time: 2018-10-11T12:29:42Z
Interface Direction: outbound
Interface Name: eth2
Email Control: SMTP Policy Restrictions
Email Session ID: 5BBF4235-7-A00A8C0-C0000001
Information: Encrypted session
Source: 10.10.0.4#
Source Port: 43182
Destination: 10.10.0.10
Destination Port: 25
IP Protocol: 6
Action: Bypass
Type: Log
Blade: Firewall
Service: TCP/25
Product Family: Access
Interface: eth2
Description: smtp Traffic Bypassed from (10.10.0.4) to 10.10.0.10

 

The TE log:

 

Time: 2018-10-11T12:29:46Z
Source: 10.10.0.4
Destination: 192.168.0.10
IP Protocol: 6
Destination Port: 25
Threat Prevention Rule Id:DA846A34-636B-4B7A-A75C-0F72DC130D1E
Scope: 192.168.0.10
File Name: test.pdf
File Type: pdf
File Size: 215615
File MD5: 265c632b5d24d09f1e20d763ab8f3ee4
File SHA1: a6e5d9577005cbb3e2ad013ee71d4baf85a2d299
File Sha256: 361d4f8bc67527b1e9d2231cc340a53a09d7935f4c9af99923f62227bd29ddda
Verdict: Benign
Analyzed On: Check Point Threat Cloud
Determined By: Win7,Office 2013,Adobe 11: static analysis. WinXP,Office 2003/7,Adobe 9: static analysis.
Protection Type: SMTP Emulation

 

Note: some log fields where deleted o modified to keep confidentiality of the organization.

 

So, the main question is: I should ignore the SMTP bypassed logs or I'm missing something?

 

My fear is I could be missing some potentially malicious attachment on incoming SMTP TLS traffic flows.

 

Thanks mates.

Outcomes