Support Center > Search Results > SecureKnowledge Details
The configured prefix text is not added by Threat Emulation to the mail subject in some e-mails
Symptoms
  • The text that was configured in the Threat Emulation Profile (e.g, "[Malicious]"), is not added to the mail subject of some e-mails with malicious attachment.

    In SmartDashboard R77.X, go to the "Threat Prevention" tab - in the left tree, click on the "Profiles" - edit the relevant profile - expand the "Threat Emulation Settings" - click on the "Advanced" - select the option "Allow the mail without the attachment" - click on the "Configure Mail Subject..." button:
Cause

The subject prefix is added to the "folded" header (refer to RFC 2822 - section "2.2.3. Long Header Fields"), rather than to the actual subject.

Example of such e-mail's header:

Before passing through Threat Emulation Gateway After passing through Threat Emulation Gateway
X-DKIM-Signature: test;
        Subject: test Header;
        test Text;
To: test@test.com
From: test_sandblast@test.com
Subject: Test mail for Check Point Sandblast
X-DKIM-Signature: test;
        Subject: <Configured_Subject_Prefix>test Header;
        test Text;
To: test@test.com
From: test_sandblast@test.com
Subject: Test mail for Check Point Sandblast

Example from the debug of in.emaild.mta (per sk60387):

[emaild.mta ...]@GW_HostName[Date Time] ==>mime_add_prefix_to_header
[emaild.mta ...]@GW_HostName[Date Time] mime_add_prefix_to_header: About to add <Configured_Subject_Prefix> to header subject
... ...
[emaild.mta ...]@GW_HostName[Date Time] mime_alter.c:3617:AM_header_adjust:DEBUG: Starting seek through file. header_written = 0
... ...
[emaild.mta ...]@GW_HostName[Date Time] mime_alter.c:3643:AM_header_adjust: line=X-DKIM-Signature: test;
[emaild.mta ...]@GW_HostName[Date Time] mime_alter.c:3643:AM_header_adjust: line= Subject: test Header;
[emaild.mta ...]@GW_HostName[Date Time] mime_alter.c:3672:AM_header_adjust:DEBUG: Located header line
[emaild.mta ...]@GW_HostName[Date Time] mime_alter.c:3699:AM_header_adjust:DEBUG: Prefix mode output written
[emaild.mta ...]@GW_HostName[Date Time] emaild_edit_mail_content_internal: A disclaimer was successfully added to the email.


Solution
Note: To view this solution you need to Sign In .