This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amodi
Participant
‎2023-08-02 12:51 AM

MTA Antivirus

Hi, I have a HA cluster of two security gateways running R81.10 Jumbo Hotfix Take 95, and I'm experimenting with the MTA feature.

The MTA is configured and seems to be working properly (if forwards the incoming emails to our internal email server), but I can't get the Antivirus on the gateway to scan and eventually filter incoming mails.

I tested by sending emails having in the body the EICAR string, and also with emails having attached the EICAR as a txt file.

In every case the emails are passing trought the gateway without being marked accordingly to the policy defined on the gateways.

cp-mta-am.png

Please, can somebody give me some inputs in order to get the incoming emails processed by the antivirus engine?

 

Many thanks!

 

0 Kudos
16 Replies
Oliver_Fink
Advisor
Advisor
‎2023-08-02 01:05 AM

What do you see in the logs?

Is the AV Blade activated for the cluster and Threat Prevention policy installed?

Do you have a subscription for AV?

What does the AV configuration look like?

0 Kudos
Amodi
Participant
‎2023-08-02 02:21 AM
In response to Oliver_Fink

Please see my settings:

Ati-bot and Antivirus settingsAti-bot and Antivirus settings

Active blades:

Active bladesActive blades

Logs from:

/var/log/maillog

Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: 4RG4gR0MTHz57qTX: client=localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR0MTHz57qTX: message-id=<20230802112106.035442@host.dom1.tld>
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: from=<sender@dom1.tld>, size=1165, nrcpt=1 (queue active)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: connect from localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: Host offered STARTTLS: [127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: 4RG4gR1hPwz4x5Tm: client=localhost[127.0.0.1], orig_queue_id=4RG4gR0MTHz57qTX, orig_client=localhost[127.0.0.1]
Aug 2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR1hPwz4x5Tm: message-id=<20230802112106.035442@host.dom1.tld>
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: from=<sender@dom1.tld>, size=1386, nrcpt=1 (queue active)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: 4RG4gR0MTHz57qTX: to=<recipient@dom2.tld>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.22, delays=0.17/0.01/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4RG4gR1hPwz4x5Tm)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: removed
Aug 2 11:21:07 2023 FW-CP-N2 postfix/smtp[32006]: 4RG4gR1hPwz4x5Tm: to=<recipient@dom2.tld>, relay=10.168.0.16[10.168.0.16]:2527, delay=0.19, delays=0.03/0.02/0.03/0.11, dsn=2.6.0, status=sent (250 2.6.0 <20230802112106.035442@host.dom1.tld> [InternalId=19554986098820, Hostname=internalMTA] 2231 bytes in 0.105, 20.575 KB/sec Queued mail for delivery)
Aug 2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: removed

 

$FWDIR/log/mtad.elg

2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] emaild_new_connection(): [fw_conn_id=58, emaild_context_id=548366279] New connection.
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre(): sender='sender@dom1.tld'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre() - :recipient='recipient@dom2.tld'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] pre(): Message-ID=' <20230802112106.035442@host.dom1.tld>'
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] parseEmlFile() - 4RG4gR0MTHz57qTX :[emailContextId=1288246662] MIME Parsing result: 0(Success)
[2 Aug 11:21:07] [EMAIL_AP (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AP policy off
[2 Aug 11:21:07] [EMAIL_AV (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AV policy off
[2 Aug 11:21:07] [EMAIL_TE (NOTICE)] handle() - 4RG4gR0MTHz57qTX :TE policy off
[2 Aug 11:21:07] [EMAIL_MTA (NOTICE)] editContent() - 4RG4gR0MTHz57qTX :[mta_policy_context_id=1288246662] End connection.

 

 

0 Kudos
Amodi
Participant
‎2023-08-02 03:31 AM
In response to Oliver_Fink

I do not understand what is going on.

My replies are dissapearing aftre I post them (this is the 4th times).

Basicly the IPS, Anti-bot and Anti-virus blades are active, and the Threat Emulation and Threat Extraction are inactive.

Yes the subscription is active.

I will try to post the logs in a new reply

0 Kudos
Amodi
Participant
‎2023-08-02 03:35 AM
In response to Amodi

mtad.elg

[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] emaild_new_connection(): [fw_conn_id=58, emaild_context_id=548366279] New connection.
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] pre(): sender='sender@dom1.tld'
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] pre() -  :recipient='recipient@dom2.tld'
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] pre(): Message-ID=' <20230802112106.035442@host.dom1.tld>'
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] parseEmlFile() - 4RG4gR0MTHz57qTX :[emailContextId=1288246662] MIME Parsing result: 0(Success)
[2 Aug 11:21:07]  [EMAIL_AP (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AP policy off
[2 Aug 11:21:07]  [EMAIL_AV (NOTICE)] handle() - 4RG4gR0MTHz57qTX :AV policy off
[2 Aug 11:21:07]  [EMAIL_TE (NOTICE)] handle() - 4RG4gR0MTHz57qTX :TE policy off
[2 Aug 11:21:07]  [EMAIL_MTA (NOTICE)] editContent() - 4RG4gR0MTHz57qTX :[mta_policy_context_id=1288246662] End connection.

 

maillog

Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: 4RG4gR0MTHz57qTX: client=localhost[127.0.0.1]
Aug  2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR0MTHz57qTX: message-id=<20230802112106.035442@host.dom1.tld>
Aug  2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: from=<sender@dom1.tld>, size=1165, nrcpt=1 (queue active)
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[31843]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: connect from localhost[127.0.0.1]
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: Host offered STARTTLS: [127.0.0.1]
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: 4RG4gR1hPwz4x5Tm: client=localhost[127.0.0.1], orig_queue_id=4RG4gR0MTHz57qTX, orig_client=localhost[127.0.0.1]
Aug  2 11:21:07 2023 FW-CP-N2 postfix/cleanup[29796]: 4RG4gR1hPwz4x5Tm: message-id=<20230802112106.035442@host.dom1.tld>
Aug  2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: from=<sender@dom1.tld>, size=1386, nrcpt=1 (queue active)
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtp[32003]: 4RG4gR0MTHz57qTX: to=<recipient@dom2.tld>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.22, delays=0.17/0.01/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4RG4gR1hPwz4x5Tm)
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtpd[32004]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug  2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR0MTHz57qTX: removed
Aug  2 11:21:07 2023 FW-CP-N2 postfix/smtp[32006]: 4RG4gR1hPwz4x5Tm: to=<recipient@dom2.tld>, relay=10.168.0.16[10.168.0.16]:2527, delay=0.19, delays=0.03/0.02/0.03/0.11, dsn=2.6.0, status=sent (250 2.6.0 <20230802112106.035442@host.dom1.tld> [InternalId=19554986098820, Hostname=internalMTA] 2231 bytes in 0.105, 20.575 KB/sec Queued mail for delivery)
Aug  2 11:21:07 2023 FW-CP-N2 postfix/qmgr[5580]: 4RG4gR1hPwz4x5Tm: removed
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-08-02 03:11 AM

Are other blades such as Threat Emulation active here?

Is the mail communication TLS encrypted and MTA configured with this in mind?

CCSM R77/R80/ELITE
0 Kudos
Amodi
Participant
‎2023-08-02 03:21 AM
In response to Chris_Atkinson

Threat Emulation and Threat extraction blades are inactive.

Also the communication is TLS encrypted, and the MTA has the certificate and private key installed

Chris_Atkinson
Employee Employee
Employee
‎2023-08-02 04:27 AM

So you don't see any Prevent/Detect logs for mail passing the MTA only Accept entries?

 

CCSM R77/R80/ELITE
0 Kudos
Amodi
Participant
‎2023-08-02 05:03 AM
In response to Chris_Atkinson

No, just normal Delivered entries.

Also please see my settings and logs in the previous posts.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-08-02 05:54 AM
In response to Amodi

Sorry in case I was unclear I was referring to the logs as seen in SmartConsole log view.

CCSM R77/R80/ELITE
0 Kudos
Amodi
Participant
‎2023-08-02 06:00 AM
In response to Chris_Atkinson

No there are no Detect or Prevent logs in SmartDashboard.

But as I mentioned, I do not have Threat Extraction or Threat Prevention blades activated (nor licensed).

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-08-02 06:20 AM
In response to Amodi

Anti-virus should generate similar detect/prevent logs not just the other blades.

In your anti-virus blade configuration, have you reviewed the "file types" configuration - how is it currently set anything specific for txt files?

 

CCSM R77/R80/ELITE
0 Kudos
Amodi
Participant
‎2023-08-02 06:45 AM
In response to Chris_Atkinson

I checked the ThreatPrevention rule generated when I enabled the MTA, and the AV was set to Process file types know to contain malware.

Now i changed it to Process specific file type families, where the txt file is set to Inspect. But I do not see any detection logs from the AV.cp-tp-mta-av.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-08-02 07:17 AM
In response to Amodi

For your information: sk142552: How to get a list of file types analysed by Anti-Virus when selecting "Process file types ...


Suggest contact TAC to continue reviewing your scenario at this point.

 

CCSM R77/R80/ELITE
0 Kudos
Amodi
Participant
‎2023-08-02 10:40 PM
In response to Chris_Atkinson

Many thanks, I will contact TAC.

0 Kudos
RS_Daniel
Advisor
‎2023-08-02 07:18 AM

Hi,

Once a TAC engineer told that we need TE, TX or AntiSpam enabled to work with MTA, i am not sure about it, but you can try to enabled one of those blades and check. The reason TAC gave me is admin guide say "The MTA works with these blades: Threat Emulation, Threat Extraction, and Anti-Spam and Mail Security."

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/...

Regards

0 Kudos
Amodi
Participant
‎2023-08-02 10:41 PM
In response to RS_Daniel

Anti-Spam and Mail Security is enabled, the TE and TX are not, as I do not have license for those.

Will try to contact TAC, and see what they suggest.

Thank you!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events