Support Center > Search Results > SecureKnowledge Details
Check Point Response to HTTP Evader (http://noxxi.de/research)
Symptoms
Solution

Background

The HTTP Evader test site (http://noxxi.de/research/http-evader.html) runs various tests to download an EICAR virus test file (eicar.txt) over HTTP. This file contains a special string that should be recognized as a virus, and the file download should be blocked.

HTTP Evader tests are based on various manipulations on the HTTP headers that suppose to trick the HTTP parser on the client side to prevent it from parsing the HTTP traffic correctly.

 

Check Point configuration recommendation for catching HTTP Evader

  • Show / Hide instructions for SmartConsole R80.X
    1. Connect with SmartConsole to Security Management Server / Domain Management Server.

    2. Open the Security Gateway / Cluster object:

      1. Enable IPS blade and Anti-Virus blade.

        Example:

      2. Go to IPS pane:

        In the Activation Mode section, select According to Threat Prevention policy.

      3. Click on OK.

    3. Configure the Inspection Settings:

      1. In the Navigation Toolbar, click on the MANAGE & SETTINGS.

      2. In the upper middle section, click on the Blades.

      3. Click on the Inspection Settings... button.

      4. Configure the IPS protection Gzip Enforcement:

        1. Search for Gzip Enforcement

        2. Double-click on the Gzip Enforcement protection

        3. Double-click on the Recommended Inspection profile

        4. In the left pane, click on the Advanced

        5. Check the box Drop compressed traffic if inspection stopped

        6. Click on OK.

        7. Click on Close.

      5. Configure the IPS protection Non Compliant HTTP:

        1. Search for Non Compliant HTTP

        2. Double-click on the Non Compliant HTTP protection

        3. Double-click on the Recommended Inspection profile

        4. In the left pane, click on the Advanced

        5. Check the box Enforce strict HTTP requests parsing

        6. Check the box Enforce strict HTTP response parsing

        7. Check the box Block invalid chunk

        8. Click on OK.

        9. Click on Close.

      6. Assign the Recommended Inspection profile:

        1. In the Inspection Settings window, in the left pane, click on the Gateways

        2. Double-click on the Security Gateway / Cluster object

        3. Select the Recommended Inspection profile

      7. Close the Inspection Settings window.

    4. Threat Prevention Profile (used in the Threat Prevention policy) can be either Optimized, or Strict.

      To configure the Threat Prevention Profiles:

      1. In the Navigation Toolbar, click on the SECURITY POLICIES.

      2. In the upper middle section, click on the Threat Prevention headline.

      3. In the lower middle section, click on the Profiles.

      4. Double-click on the either Optimized, or Strict profile.

      5. Configure the desired settings.

      6. Click on OK.

      7. In the Threat Prevention section, click on the Policy.

      8. In the relevant rules, select either Optimized, or Strict profile.

    5. Install policy on the Security Gateway / Cluster (both Access and Threat Prevention).



  • Show / Hide instructions for SmartConsole R77.X

    1. Install the R77.30 - Security and stability enhancements for Security Gateway (Hotfix #5).

    2. Connect with SmartDashboard to Security Management Server / Domain Management Server.

    3. Open the Security Gateway / Cluster object:

      1. Enable IPS blade and Anti-Virus blade.

        Example:

      2. Go to IPS pane - select Recommended_Protection profile - select Perform IPS inspection on all traffic (may affect performance):

      3. Click on OK.

    4. Go to IPS tab in SmartDashboard - in the left tree, click on Protections.

    5. Configure the IPS protection Gzip Enforcement:

      1. Search for Gzip Enforcement.

      2. Double-click on the Gzip Enforcement protection.

      3. Double-click on the Recommended_Protection profile.

      4. Check the box Drop compressed traffic if inspection stopped.

      5. Click on OK.

    6. Configure the IPS protection Non Compliant HTTP:

      1. Search for Non Compliant HTTP.

      2. Double-click on the Non Compliant HTTP protection.

      3. Double-click on the Recommended_Protection profile.

      4. Check the box Enforce strict HTTP request parsing.

      5. Check the box Enforce strict HTTP response parsing.

      6. Click on Advanced... button - check the box Invalid chunk.

      7. Click on OK.

    7. Install policy on the Security Gateway / Cluster (both Network Security and Threat Prevention).

 

Check Point recommendation for performing HTTP Evader tests

Note: This recommendation applies to both Anti-Virus blade and Traditional Anti-Virus (after following the configuration recommendation above for catching HTTP evasions).

  1. Connect to command line on Security Gateway / each cluster member.

  2. Log in to Expert mode.

  3. Configure the Security Gateway to block EICAR virus test file (refer to sk44781):

    [Expert@HostName:0]# fw ctl set int g_ci_av_eicar_handling_mode 2

    Note: This change does not survive reboot.

  4. Perform the desired HTTP Evader tests.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment