Threat Emulation logs show "Detect" for e-mail attachments instead of "Prevent" when Threat Extraction blade is also enabled

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk115252
Technical Level
Product	Threat Emulation, Threat Extraction
Version	R77.30 (EOL)
OS	Gaia, SecurePlatform 2.6
Platform / Model	All
Date Created	28-Dec-2016
Last Modified	04-Oct-2018

Symptoms

SmartView Tracker / SmartLog logs from Threat Emulation blade show malicious files being detected in e-mail attachments rather than being prevented (as per Threat Prevention profile) in the following scenario:
1. Both the Threat Emulation and Threat Extraction blades are enabled on the Security Gateway
2. Mail Transfer Agent (MTA) is enabled and configured on the Security Gateway
3. SandBlast Parallel Extraction Hotfix is installed on the Security Gateway
  (refer to sk108074; this hotfix was integrated into R77.30 Jumbo Hotfix Accumulator since Take_128).
4. E-mails with attachments are sent over SMTP

Cause

When Threat Extraction blade finishes scanning of an attachment inside an e-mail before Threat Emulation blade finishes the emulation process, the Mail Transfer Agent (MTA) passes the e-mail as-is.

This generates the "Detect" log, as there was no actual file to "Prevent".

Solution

Note: To view this solution you need to Sign In .