PDA

View Full Version : This is just to easy to bypass Threat Emulation



varera
2015-03-28, 04:27
Plain Java script masking as a doc file easy passes TE tests with Check Point if zipped.

***There was a link to the blog. I have removed the blog post till Check Point's official response is ready. Sorry for the inconvinience***

aweldon
2015-03-28, 08:34
Well that is pretty ridiculous. Of all file types to ignore why would once of them be JavaScript?! It is one of the most prevalent vectors of infection.

RayPesek
2015-03-28, 10:38
Sadly this is what happens when people become too tool-dependent and don't think about the risks versus business needs. Or when "security is everyone's job" which means it's no one's job.

I belong to one of the more prominent ISACs and it still stuns me how many companies still do not have systems that will unzip archives and take a look inside. Or who do not proactively block all executable and script files by email. Or they have the ability but turn it off or put it in "monitor" mode because they're so afraid some legitimate email might get slowed down. Or turn off UAC for everyone and give everyone local admin rights.

And then they ask for advice on how to clean up infected PCs because they don't want to re-image them.

Every week someone whines because a .scr file got executed. When was the last time ever that someone legitimately sent a screensaver file by email into a company? I don't even think a few more Sony Pictures or Sands Casino incidents will make a difference because everyone thinks it can't happen to them.

jflemingeds
2015-03-28, 10:40
I thought the bottom line is TE ignores .js files completely? From the sounds of your post it doesn't matter if the file is inside a zip file or not.

varera
2015-03-28, 15:46
No really. Java scripts are not in the list of supported files. So TE will ignore them, if sent cleartext.

RayPesek
2015-03-29, 08:37
There were a spate of malicious emails set to us recently that had names like "John Smith resume.doc.js" that we stopped because we explicitly block scripting type files. Other companies had people open them and attempts were made to download files.

Does Threat Emulation also ignore .ps1 files, PowerShell scripts? That would be really bad if it does.

Does Threat Emulation have different settings per protocol, so maybe it only analyzes them in web traffic but not email traffic? I cannot believe it would ignore malicious .js files in web traffic. That would be as stupid as ignoring Flash and image file analysis. (Another recent one is the downloading of a file with a .png extension that gets renamed to a .exe when it hits your hard drive.)

I know I'm old-school and that is why I prefer dedicated products for different functions. Let a firewall do firewalling, let malicious code checkers for email do emails, let web traffic code checkers check web traffic and use the best of the breed products. There are always compromises when something tries to do it all (no pun intended).

varera
2015-03-29, 09:56
Ray, you can check the list of supported files and protocols in TE docs. In brief, most of executables and scripts are ignored if sent plain. I was still expecting to get a positive for a zipped ones.

varera
2015-04-14, 08:07
Guys, sorry for removing the actual post. Now it is available again, with Check Point official response and some additional info:

http://checkpoint-master-architect.blogspot.ch/2015/04/my-story-around-threat-emulation-issue.html

jflemingeds
2015-04-14, 09:57
I still don't understand why this is news or why checkpoint changed things. The understand is .js files are ignored (as someone else said ignoring files based on extension is so 1990s). If they are ignored why would they not be ignored in an archive?

I guess the case could be made that TE has to read through all the files in an archive so it might as well signature based scan them as your reading the files in the archive, but then why wouldn't the same be true once the raw .js file is uploaded? I mean you have to read the contents of the file in order to write it to storage so scan it as its coming in, which seems to be the same case for why now .zip files.

/shrug

varera
2015-04-14, 11:00
There was an unofficial chatter behind the scene. If I have understood the reason, JS and PS1 are ignored just because nobody else is doing them.

One more thing. If TE and AVI are both enabled, ALL files would be scanned. It is only TE which takes care just of the limited number of files. Nevertheless, scanning is not an issue. Detonation/emulation is. Scanning only gives you known bad. With enough effort one can still squeeze a new malware into JS file. As for emulation, the obvious trade off is about the scope. Emulating too much cause a performance issue.

blason
2017-06-07, 00:06
hmmm ..I decided to give a try and yep it seem CP Cloud still bypasses .js scripts!

I took shade ransomware script and zipped it then uploaded on CheckPoint TE; I guess it was caught by static filters and it was not emulated hence I feel it was detected malicious by CP AV engine.

Later I tried uploading .doc.js directly and CP Threat Cloud engine was not accepting that as a file type. Let me run it from tecli command and see the behaviour.

BTW, just wondering is it not possible to virutalize the TE Appliance? I mean I know probably I would compromise CPU level scanning since I might not have haswell CPUs but wondering since it uses qemu has anyone tried visualising the appliance?

varera
2017-06-07, 04:32
Correct, Check Point does not consider .js supported files. I could not guess why.

PhoneBoy
2017-06-09, 17:14
BTW, just wondering is it not possible to virutalize the TE Appliance? I mean I know probably I would compromise CPU level scanning since I might not have haswell CPUs but wondering since it uses qemu has anyone tried visualising the appliance?

Maybe it works, but it's definitely unsupported.

varera
2017-06-22, 03:27
Maybe it works, but it's definitely unsupported.

I am still trying to figure out, why. What makes CP guys think .js is not important? I have seen quite large amount of phishing emails with these files.

PhoneBoy
2017-06-23, 07:45
I was under the impression .js files were supported in .zip archives for almost a year now.
It's mentioned here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk95235

Is the issue that it's still not supported outside of a ZIP file?

varera
2017-06-23, 09:15
I was under the impression .js files were supported in .zip archives for almost a year now.
It's mentioned here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk95235

Is the issue that it's still not supported outside of a ZIP file?

Correct

wyndfx
2017-06-23, 12:07
as someone else said ignoring files based on extension is so 1990s


TE does look at the extension, however it also verifies the filetype based on the magic number. If you rename virus.exe to virus.txt, this will not bypass TE as the magic number will still show as an executable.

varera
2017-06-23, 13:10
TE does look at the extension, however it also verifies the filetype based on the magic number. If you rename virus.exe to virus.txt, this will not bypass TE as the magic number will still show as an executable.

Any material proof of that statement? Cause in my case TE was ignoring malicious js, but was detecting a signature after that file was renamed to doc


Sent from my iPhone using Tapatalk

wyndfx
2017-06-23, 13:52
Doesn't look like there's any documentation, but you know how that is.

I think in your case it was because .js is not a supported filetype.

We can see the behavior in ted.elg when I emulate a file that I renamed from muhAgent.exe to muhAgent.txt:

TED.elg:
[ 8360 1939077824][23 Jun 12:50:54] [TE_TRACE]: {76F6DAA1-DDCC-C747-9417-EEE26F0A69A4} Handling new file "muhAgent.txt", Path: /home/muhAgent.txt, rule_number = 1, rule name = , investigation_path
= PATH_TE
...
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::ClassifierInvestigator::Classify: file original name: txt
[ 8360 1939077824][23 Jun 12:50:54] [TE_IS (TD::All)] te_is::FileTools::GetMagicFile: load magic_cookie: /opt/CPsuite-R77/fw1/teCurrentPack/file_dir/magic.mgc
[ 8360 1939077824][23 Jun 12:50:54] [TE_IS (TD::Important)] te_is::FileTools::GetMimeType: Mime Type: application/x-dosexec
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::SupportedFileTypes::Classify: file=/home/muhAgent.txt mime is: application/x-dosexec
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::SupportedFileTypes::Classify: file original name: txt
[ 8360 1939077824][23 Jun 12:50:54] [TE_IS (TD::All)] te_is::FileTools::GetMagicFile: load magic_cookie: /opt/CPsuite-R77/fw1/teCurrentPack/file_dir/magic.mgc
[ 8360 1939077824][23 Jun 12:50:54] [TE_IS (TD::Important)] te_is::FileTools::GetFileDescription: File description: PE32 executable (GUI) Intel 80386, for MS Windows
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::SupportedFileTypes::Classify: mime desc is: PE32 executable (GUI) Intel 80386, for MS Windows
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::SupportedFileTypes::Classify: file original name: txt
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::SupportedFileTypes::ExceptionsFileTypes: ExceptionsFileTypes ==>
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::SupportedFileTypes::ExceptionsFileTypes: in exe ==>
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::SupportedFileTypes::Classify: mime type is: exe
[ 8360 1939077824][23 Jun 12:50:54] [TE (TD::All)] te::SupportedFileTypes::DowngradeOfficeGroup: File type exe was not changed.
[ 8360 1939077824][23 Jun 12:50:54] [TE_TRACE]: {76F6DAA1-DDCC-C747-9417-EEE26F0A69A4} File is executable - type is: exe

varera
2017-06-23, 13:57
Oh boy...

That is exactly the problem in discussion here, js not being supported. You say, magic number, whatever it is, is checked before file extension. How does it help, exactly?