PDA

View Full Version : Threat Emulation Hold Scanning



robs609
2016-03-16, 10:15
I have recently noticed that TE is only detecting threats and not stopping them. My reaction was to turn on hold scanning so if the file was maliciuos the gateway would have a chance to block it.
I found a big drawback with this. If some files (docx in my case) is scanned the download just hangs. Once I see it was scanned and shown clean in tracker I can refresh the link and the download goes through.

When we had Bluecoat proxy AV it qued the download and showed the user a wait screen in the browser. Is there a way to accomplish this with checkpoint?

Thanks

abusharif
2016-03-16, 11:11
Didn't test it personally, but have you tested sandblast web browser extension?

sk108695

robs609
2016-03-17, 10:11
I have not but it seems only chrome is supported and I would rather not have to install a browser extension for this to work correctly. Hopefully CP will change this.

jflemingeds
2016-03-17, 10:49
I have not but it seems only chrome is supported and I would rather not have to install a browser extension for this to work correctly. Hopefully CP will change this.

sk110479 maybe?

robs609
2016-03-17, 18:27
Great! Thanks for pointing me there. I will contact support tomorrow and I will let you know what happens.

robs609
2016-04-06, 08:08
Well I contacted support and they told me the fix was rolled into the latest jumbo take. I installed the newest take and the problem remains. I called support back and they escalated the case. According to the Engineer FIVE MINUTES is the usual emulation time.

There is a major problem with this and hold scanning. If you try to download a 63k docx file in your browser the download reaches 62k out of 63k then sits there until it times out. You have to manually refresh the browser after emulation has completed for the download to succeed. The user has no idea what is going on in the background because no usercheck shows up. The other option is to use background scanning which is only a late warning system. If the user is allowed to download and infected file and there is no hash for the file in threat cloud the damage is already done before emulation completes so I am not sure of why this broken product was pushed to us. I am very frustrated about this.

Here is the email I received back from the support engineer.

Greetings Robert,



I wanted to update you and let you know my findings. There is not a user check type feature to alert users that emulation is occurring. Based on what we saw in our remote session, TE is working and emulating as expected within the expected time duration. Please let me know if you have any other questions or concerns. I will leave the case open until close of business tomorrow.




Regards,

Alkax
2016-04-27, 15:17
Well I contacted support and they told me the fix was rolled into the latest jumbo take. I installed the newest take and the problem remains. I called support back and they escalated the case. According to the Engineer FIVE MINUTES is the usual emulation time.

There is a major problem with this and hold scanning. If you try to download a 63k docx file in your browser the download reaches 62k out of 63k then sits there until it times out. You have to manually refresh the browser after emulation has completed for the download to succeed. The user has no idea what is going on in the background because no usercheck shows up. The other option is to use background scanning which is only a late warning system. If the user is allowed to download and infected file and there is no hash for the file in threat cloud the damage is already done before emulation completes so I am not sure of why this broken product was pushed to us. I am very frustrated about this.

Here is the email I received back from the support engineer.

Greetings Robert,



I wanted to update you and let you know my findings. There is not a user check type feature to alert users that emulation is occurring. Based on what we saw in our remote session, TE is working and emulating as expected within the expected time duration. Please let me know if you have any other questions or concerns. I will leave the case open until close of business tomorrow.




Regards,


We're having the same issue, users are complaining their downloads are not finishing and there is no warning or anything. We enabled TE about 3-4 weeks ago. Did the tech mention what Take version this hotfix was included in?

Thanks in advance.

jdmoore0883
2016-04-27, 15:25
Did the tech mention what Take version this hotfix was included in?

A - Assuming sk110479 is the issue at hand and R77.30 is in use, it is included as of Take 117.

sebastan_bach
2016-05-09, 17:14
Hi,

The solution to this is probably using the threat extraction feature. With this while the threat emulation for the actual file is done threat extraction can create a clean format of the document by disabling all macros or scripts embedded in the document & have the user download the clean & safe file. This way the user does not have to wait for the threat emulation to complete. Once the emulation is done & if it says the file is clean the user can download the file as it is.

Hope this works out as it's mentioned in their documentation.

Regards

Sebastan

Christoph
2016-05-12, 17:09
Imho there are three options available.

1. As Sebastan mentioned TX. This is almost instant, the user gets a link to download his file and if scanning hasn't finished the file is not available. Cons, works only on a small subset of files.
2. Browser extension Chrome iirc still preview, IE still in beta afaik
3. Sandblast Endpoint Agent. Probably the most comprehensive and best solution, offering the best user experience. (https://www.checkpoint.com/downloads/product-related/datasheets/ds-sandblast-agent.pdf)

The default emulation time for an unknown file is at least 60sec (unless you alter it) and will rise according to the number of emulation environments and initial emulation results of the file.

Personally I would stop bothering with the native trickling. It's doubtful there will ever be users accepting that.

sebastan_bach
2016-05-20, 03:45
Hi Christoph,

I am not sure how the sandblast agent can solve the problem of threat extraction while emulation is still happening. Does the agent also supports creating a local copy of the file while emulation is still happening for the original file verdict. with the agent can we go away with the browser extension for sandblast.

I couldn't find any documentation around the agent yet. Not sure if it's up for GA.

Regards

Sebastan

metalhead
2016-06-24, 12:11
Hi,

the "stalling" download is expected behavior. You cannot redirect an existing download session to a "progress" page. At least if you are not a proxy.

There are customers using this in production. If the emulation environment is sized correctly the delay to expect is around 60-100 sec.

The browser plugin displays more info on download but you need to deploy it to every client.

It is also part of the SandBlast Agent.

Regards Tom


Gesendet von meinem XT1562 mit Tapatalk