Support Center > Search Results > SecureKnowledge Details
How to submit a False Positive case for Threat emulation? Technical Level
In order to submit False Positive report for Threat Emulation, collect the following information and open a support ticket with Check Point Support:
1- Full information on the deployment used for emulation - local emulation / cloud / or dedicated TE appliance.

2- Output of next commands:

# tecli ad sc all 
# tecli s d all 
# tecli ad en ver 
# cpstat threat-emulation -f contract

NOTE: In case the deployment includes Security Gateway and TE appliance please collect this information from both.

3-Original file suspected as a false positive. [Archive the file with password = infected]

4-Double click the log in SmartLog to open it. 
  • Click the copy icon on the upper-right side to copy the log text.

  • Click the Summary button to download the Summary report.

5-Please provide the ThreatEmulation_dataXML file from Report file. [This file will have no extention]

      The XMLData is created once the TE report from the SmartConsole is opened in the browser, and can be found in the following directory: C:\Users\user_name\AppData\Local\Temp\IncidentAttachments\TEReports\{report_id}\data\ /ThreatEmulation_dataXML

        Please go to the SmartView Tracker/SmartLog, for Management server R77.X, or to SmartLog, for Management server R80.X, and open the log of the suspected file.

        Click to View Report [not download].

        An IE browser will open the report and you will find the report_ID in the URL.

      C:\Users\user_name\AppData\Local\Temp\IncidentAttachments\TEReports\{report_id}\data\ /ThreatEmulation_dataXML

5- CPinfo output files from all relevant machines [Security Gateway, Security Management server,TE appliance]. 

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document