CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 12 of 12

Thread: Threat Emulation Hold Scanning

  1. #1
    Join Date
    2016-03-10
    Posts
    8
    Rep Power
    0

    Default Threat Emulation Hold Scanning

    I have recently noticed that TE is only detecting threats and not stopping them. My reaction was to turn on hold scanning so if the file was maliciuos the gateway would have a chance to block it.
    I found a big drawback with this. If some files (docx in my case) is scanned the download just hangs. Once I see it was scanned and shown clean in tracker I can refresh the link and the download goes through.

    When we had Bluecoat proxy AV it qued the download and showed the user a wait screen in the browser. Is there a way to accomplish this with checkpoint?

    Thanks

  2. #2
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,009
    Rep Power
    15

    Default Re: Threat Emulation Hold Scanning

    Didn't test it personally, but have you tested sandblast web browser extension?

    sk108695

  3. #3
    Join Date
    2016-03-10
    Posts
    8
    Rep Power
    0

    Default Re: Threat Emulation Hold Scanning

    I have not but it seems only chrome is supported and I would rather not have to install a browser extension for this to work correctly. Hopefully CP will change this.

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Threat Emulation Hold Scanning

    Quote Originally Posted by robs609 View Post
    I have not but it seems only chrome is supported and I would rather not have to install a browser extension for this to work correctly. Hopefully CP will change this.
    sk110479 maybe?

  5. #5
    Join Date
    2016-03-10
    Posts
    8
    Rep Power
    0

    Default Re: Threat Emulation Hold Scanning

    Great! Thanks for pointing me there. I will contact support tomorrow and I will let you know what happens.

  6. #6
    Join Date
    2016-03-10
    Posts
    8
    Rep Power
    0

    Default Re: Threat Emulation Hold Scanning

    Well I contacted support and they told me the fix was rolled into the latest jumbo take. I installed the newest take and the problem remains. I called support back and they escalated the case. According to the Engineer FIVE MINUTES is the usual emulation time.

    There is a major problem with this and hold scanning. If you try to download a 63k docx file in your browser the download reaches 62k out of 63k then sits there until it times out. You have to manually refresh the browser after emulation has completed for the download to succeed. The user has no idea what is going on in the background because no usercheck shows up. The other option is to use background scanning which is only a late warning system. If the user is allowed to download and infected file and there is no hash for the file in threat cloud the damage is already done before emulation completes so I am not sure of why this broken product was pushed to us. I am very frustrated about this.

    Here is the email I received back from the support engineer.

    Greetings Robert,



    I wanted to update you and let you know my findings. There is not a user check type feature to alert users that emulation is occurring. Based on what we saw in our remote session, TE is working and emulating as expected within the expected time duration. Please let me know if you have any other questions or concerns. I will leave the case open until close of business tomorrow.




    Regards,

  7. #7
    Join Date
    2016-04-19
    Posts
    5
    Rep Power
    0

    Default Re: Threat Emulation Hold Scanning

    Quote Originally Posted by robs609 View Post
    Well I contacted support and they told me the fix was rolled into the latest jumbo take. I installed the newest take and the problem remains. I called support back and they escalated the case. According to the Engineer FIVE MINUTES is the usual emulation time.

    There is a major problem with this and hold scanning. If you try to download a 63k docx file in your browser the download reaches 62k out of 63k then sits there until it times out. You have to manually refresh the browser after emulation has completed for the download to succeed. The user has no idea what is going on in the background because no usercheck shows up. The other option is to use background scanning which is only a late warning system. If the user is allowed to download and infected file and there is no hash for the file in threat cloud the damage is already done before emulation completes so I am not sure of why this broken product was pushed to us. I am very frustrated about this.

    Here is the email I received back from the support engineer.

    Greetings Robert,



    I wanted to update you and let you know my findings. There is not a user check type feature to alert users that emulation is occurring. Based on what we saw in our remote session, TE is working and emulating as expected within the expected time duration. Please let me know if you have any other questions or concerns. I will leave the case open until close of business tomorrow.




    Regards,

    We're having the same issue, users are complaining their downloads are not finishing and there is no warning or anything. We enabled TE about 3-4 weeks ago. Did the tech mention what Take version this hotfix was included in?

    Thanks in advance.

  8. #8
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    5

    Default Re: Threat Emulation Hold Scanning

    Quote Originally Posted by Alkax View Post
    Did the tech mention what Take version this hotfix was included in?
    A - Assuming sk110479 is the issue at hand and R77.30 is in use, it is included as of Take 117.

  9. #9
    Join Date
    2005-10-12
    Posts
    449
    Rep Power
    14

    Default Re: Threat Emulation Hold Scanning

    Hi,

    The solution to this is probably using the threat extraction feature. With this while the threat emulation for the actual file is done threat extraction can create a clean format of the document by disabling all macros or scripts embedded in the document & have the user download the clean & safe file. This way the user does not have to wait for the threat emulation to complete. Once the emulation is done & if it says the file is clean the user can download the file as it is.

    Hope this works out as it's mentioned in their documentation.

    Regards

    Sebastan

  10. #10
    Join Date
    2010-11-11
    Posts
    57
    Rep Power
    9

    Default Re: Threat Emulation Hold Scanning

    Imho there are three options available.

    1. As Sebastan mentioned TX. This is almost instant, the user gets a link to download his file and if scanning hasn't finished the file is not available. Cons, works only on a small subset of files.
    2. Browser extension Chrome iirc still preview, IE still in beta afaik
    3. Sandblast Endpoint Agent. Probably the most comprehensive and best solution, offering the best user experience. (https://www.checkpoint.com/downloads...last-agent.pdf)

    The default emulation time for an unknown file is at least 60sec (unless you alter it) and will rise according to the number of emulation environments and initial emulation results of the file.

    Personally I would stop bothering with the native trickling. It's doubtful there will ever be users accepting that.

  11. #11
    Join Date
    2005-10-12
    Posts
    449
    Rep Power
    14

    Default Re: Threat Emulation Hold Scanning

    Hi Christoph,

    I am not sure how the sandblast agent can solve the problem of threat extraction while emulation is still happening. Does the agent also supports creating a local copy of the file while emulation is still happening for the original file verdict. with the agent can we go away with the browser extension for sandblast.

    I couldn't find any documentation around the agent yet. Not sure if it's up for GA.

    Regards

    Sebastan

  12. #12
    Join Date
    2016-06-24
    Posts
    2
    Rep Power
    0

    Default Re: Threat Emulation Hold Scanning

    Hi,

    the "stalling" download is expected behavior. You cannot redirect an existing download session to a "progress" page. At least if you are not a proxy.

    There are customers using this in production. If the emulation environment is sized correctly the delay to expect is around 60-100 sec.

    The browser plugin displays more info on download but you need to deploy it to every client.

    It is also part of the SandBlast Agent.

    Regards Tom


    Gesendet von meinem XT1562 mit Tapatalk

Similar Threads

  1. dropped by fw_filter_chain Reason: chain hold failed
    By Irek_Romaniuk in forum VPN-1 VSX
    Replies: 16
    Last Post: 2017-08-02, 03:43
  2. This is just to easy to bypass Threat Emulation
    By varera in forum Threat Prevention
    Replies: 19
    Last Post: 2017-06-23, 13:57
  3. Threat Prevention and Traditional Anti-Virus
    By aweldon in forum Threat Prevention
    Replies: 5
    Last Post: 2015-11-12, 15:52
  4. Sr. Security/threat Management Analyst in Durham, NC, USA
    By Barry J. Stiefel in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 0
    Last Post: 2011-02-25, 16:39
  5. Should We Hold a CPUG Conference in India?
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 2
    Last Post: 2010-05-31, 05:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •