Threat Extraction Troubleshooting

Introduction

The following is a collection of troubleshooting I need to do with Check Point Threat Extraction R80.10.
I used the Technical Reference Guide (ATRG) here: sk114807

Workflow in MTA mode

A PostFix server receives and handles the emails.
Emails are forwarded to the in.emaild.mta daemon, which:
1. Parses the emails (For example, Base64 decode)
2. Passes the attachments to the scrubd process, if needed (based on the configuration of supported file types).
The scrubd process handles the file and sends it to the scrub_cp_file_convertd process with the relevant details (according to the policy).
scrub_cp_file_convertd process
1. Converts the file / extracts potentialy malicious content from it.
2. Returns a Safe copy of the file to scrubd.
The scrubd process returns the Safe copy to the in.emaild.mta daemon
The in.emaild.mta daemon:
1. Replaces the original attachment with the Safe Copy version.
2. Forwards the email to its destination.

Note: For environments with MTA bundle R80.10 jhf or R80.20, in.emaild.mta is replaced with mtad daemon

Check log of convert to PDF process

It seems that the path is wron documented in the sk114807

The path mentioned /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg* is in real /var/log/jail/$CPMDIR/log/scrub_cp_file_convertd.elg*

"This notification page has expired" error in UserCheck page when a user tries to download the original file that was blocked by Threat Extraction

According to: sk106249

Symptoms

"This notification page has expired. You can safely close the page or" error in UserCheck page when a user tries to download the original attachment 7 days after receiving the original e-mail, although the Threat Extraction is configured to keep the original attachments for more than 7 days.

Attachment file still exists in /var/log/scrub/repository/ on Threat Extraction Gateway.
The original mail can be retrieved by running the following command on the Security Gateway: scrub send_orig_email <email_id or reference_number> all.
The Email ID or reference number can be retrieved from the incident log.

Solution

For more information about the sk106249 you need to login to CP support portal. There you will need to check more files if you have set the "Delete stored original files older than" to 30+ days.
These files ave been patched if you have installed the latest R80.10 Jumbo hotfixes.

The next SK mentioned is the following:

Persistence of UserCheck incidents is not preserved when quarantine time is very high
sk122099

The solution for the SK above is to upgrade to R80.20

Network Ports used for communication

Log Files location Check Point

Useful CLI Commands Check Point

Export/Import Policy Package

Useful Smartlog Queries

Useful SNMP OIDs (VSX)

Threat Prevention API

GAIA - Easy execute CLI commands on all gateways simultaneously

Threat Prevention Cyber Attacks Dashboard Template

DOS & DDOS Prevention, Mitigation

Export Syslog Messages

Missing feature - Global search across multiple CMA

Show logging using the web interface

Managing partition sizes via LVM manager on Gaia OS

SmartConsole cli parameters

Jump to Rule Number or UID

SmartConsole: Clear disconnected sessions

Initiating manual cluster failover

How to migrate Custom Queries from one SmartView Tracker to another

Check Point Log Export

After policy install: UDP packet that belongs to an old session drops

How to copy a file from a Check Point firewall

CPView Utility and High Load Traffic

IPS Troubleshooting

Limitation of 251 Inline Layers

Packetpushers with SQLNet

Show interface speed and duplex as a list

VPN Troubleshooting

Threat Extraction Troubleshooting

Check Point Links & Tools

Threat Extraction Troubleshooting

Introduction

Workflow in MTA mode

Check log of convert to PDF process

"This notification page has expired" error in UserCheck page when a user tries to download the original file that was blocked by Threat Extraction

Symptoms

Solution

No Comments