1- Full information on the deployment used for emulation - local emulation / cloud / or dedicated TE appliance.
2- Output of next commands:
# tecli ad sc all
# tecli s d all
# tecli ad en ver
# cpstat threat-emulation -f contract
NOTE: In case the deployment includes Security Gateway and TE appliance please collect this information from both.
3-Original file suspected as a false positive. [Archive the file with password = infected]
4-In SmartView Tracker / SmartLog copy the log to text file [not screenshot] and download the PDF report file.
5-Please provide the ThreatEmulation_dataXML file from Report file. [This file will have no extention]
The XMLData is created once the TE report from the SmartView Tracker or SmartLog is opened in the browser, and can be found in the following directory: C:\Users\user_name\AppData\Local\Temp\IncidentAttachments\TEReports\{report_id}\data\ /ThreatEmulation_dataXML
Please go to the SmartView Tracker/SmartLog, for Management server R77.X, or to SmartLog, for Management server R80.X, and open the log of the suspected file.
Click to View Report [not download].
An IE browser will open the report and you will find the report_ID in the URL.
Example:
C:\Users\user_name\AppData\Local\Temp\IncidentAttachments\TEReports\{report_id}\data\ /ThreatEmulation_dataXML
5- CPinfo output files from all relevant machines [
Security Gateway, Security Management server,TE appliance].
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|
