Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode
The Check Point Online Web Service is used by the gateway for Resource classification. The responses are cached locally to optimize performance, but an access to the cloud is required if the response is not cached. Resource classification mode determines whether the connection should be allowed or suspended while the Gateway queries Check Point Online Web Service.
- When the mode is "hold", connections are blocked until classification is complete.
- When the mode is "background", connections are allowed, and after the classification is complete, a "Detect" log is generated. The log includes the following description: "Connection was allowed because background classification mode was set". The response is cached and a following connection with the same classification will be detected / prevented according to the rulebase.
- Custom - you can configure different settings depending on the service
To change Resource classification mode:
In R77.x, go to Anti-Bot and Anti-Virus Engine Settings in the Anti-Bot and Anti-Virus tab -> Advanced pane.
In R80.x, Resource classification mode can be changed in the Threat Prevention Profile
- In SmartConsole, go to Manage & Settings -> Threat Prevention.
- Click on Blades
- Click on Threat Prevention > Advanced settings
- On the Threat Prevention Engine Settings window, Genaral tab, on the Resource classification mode, select an option:
- Background - Files are sent to destination even if the Threat Emulation analysis is not finished.
- Hold - Connections that must have emulation are blocked until the Threat Emulation analysis is finished
- Custom - Select this option and click Customize to configure Background or Hold modes for SMTP and HTTP services Click OK.
- Install the Threat Prevention policy.
When moving from background mode to hold, the Security gateway will hold the file from sending it to the client browser. Browser will show the file as still being downloaded, but the download will be stuck at some point. The gateway will continue the download only after scanning is completed or if a timeout at the gateway has occurred.
If it the file is malicious, the gateway will stop sending the file.
Note: Starting from R75.47 and R76, Anti-Bot Resource Classification mode for DNS is performed in the "background" on the Security Gateway. To learn more, see sk92224 - Resource Categorization for Anti-Bot / Anti-Virus DNS Settings optimization.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.