Checkmates Post Link:https://community.checkpoint.com/t5/SandBlast-Network/Block-Malicious-Unknown-File-type-attachment-MTA-TE-R80-20/m-p/33817#M534
|TE Appliance MTA
Requirement: Our requirement is that Threat Emulation or Antivirus should drop the mail if any other or unknown extension is attached in the mail. (Currently, Checkpoint TE and AV blade support more than 90 file type [AV] and 65 file type by [TE] )
Seanario1: Our case we change the extension of the malicious file to any known extension as listed on above and send a mail and here AV is able to block the mail.
Seanario2: Suppose I change the extension to any other or unknown extension of that malicious file then here AV is not able to block that mail.
Example: File Name : samples.tar (malicious file)
INTERNET —-> MAIL (samples.tar mail attatchment ) —–> BLOCK by TE
INTERNET —-> MAIL (samples.tar.pdf mail attatchment ) —–> BLOCK by TE (just changing the extension)
INTERNET —-> MAIL (samples.tar.mht mail attatchment ) —–> Allow and not able to find any log (just changing the extension)
INTERNET —-> MAIL (samples.tar.der mail attatchment ) —–> Allow and not able to find any log
NOTE : We update the TE engine to version
Installed latest jumbo Take_33 with MTA take_24.
As per the sk121097 (Last update on 25-Oct-2017):- Threat Emulation is not scanning files if their extension was changed to unsupported file type is expected behavior.
Answer By PhoneBoy (Admin, community.Checkmates.com) :-
Threat Prevention profile to deal with unknown extensions:
My Response :–
As I can see .iso file type is not supported on AV but TE is supported so that file type (.iso) block by TE but when I change the extension to .der or .mht then its allow the file to download because that two file type is not supported by TE and AV.
As per the sk123140 (How to configure Threat Emulation blade to block files according to file types) but as per our requirement is to block unknown file-type that not listed on AV and TE.
Answer by PhoneBoy (Admin,community.checkmates.com) :-
The sandbox cannot emulate “unknown” file types but AV should block them if so configured.
If you’ve configured AV and the Threat Prevention profile as pictured above and it is still getting through, please open a TAC ticket.