Support Center > Search Results > SecureKnowledge Details
When using Threat Emulation to scan mail content, some files encoded in MIME may be incorrectly decoded causing a 'False-Negative' result of the emulated file
Symptoms
  • When using Threat Emulation to scan mail content, some files encoded in MIME may be incorrectly decoded causing a False-Negative result of the emulated file.
Solution

Effective October 10, 2013, the R77 Gaia / SecurePlatform / Windows images have been replaced resolving sk95056 (Security Gateways prior to R76 drop UDP traffic on non-standard ports after upgrading Security Management Server to R77) and sk95245 (When using Threat Emulation to scan mail content, some files encoded in MIME may be incorrectly decoded causing a 'False-Negative' result of the emulated file). By installing the new images of Gaia & SecurePlatform, the R77 machine will automatically install these hotfixes on top of the R77 installation.

 

Important Note: Another hotfix for Threat Emulation might be required in addition to this hotfix. Refer to sk96269 (E-mails might not be scanned by the Threat Emulation blade in some specific scenarios depending on the e-mail client behavior).

 


 

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

 

For R77 version, Check Point offers a Hotfix.

Table of Contents:

  • Hotfix installation instructions
  • How to uninstall the hotfix
  • Files replaced by the hotfix

Hotfix installation instructions

  • Show / Hide instructions - Gaia OS using CPUSE (Check Point Update Service Engine)

    We recommend using CPUSE to install this hotfix.

    Note: Hotfix has to be installed on Security Gateway / each cluster member.

    • In Gaia Portal:

      Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.

      1. Connect to the Gaia Portal on your machine.

      2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out').

      3. Navigate to the 'Software Updates' - 'Status and Actions' pane.

      4. Go to the 'Updates' tab to see the published hotfixes available for download.

      5. Select the Check_Point_R77_hotfix_sk95245.tgz package - right-click on it - click on 'Download' (this will download the hotfix to your machine).

      6. Right-click on the Check_Point_R77_hotfix_sk95245.tgz package - click on 'Install' (this will install the hotfix on the machine and display the installation status).

      7. When prompted for reboot (a pop up window appears), confirm to reboot the machine.


    • In Clish:

      Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.

      1. Connect to Gaia command line (over SSH, or console).

      2. Log in to Clish shell.

      3. See the list of available packages for download:

        HostName> show installer available_packages

      4. Download this hotfix:

        HostName> installer download Check_Point_R77_hotfix_sk95245.tgz

      5. Check the download progress by repeatedly running this command:

        HostName> show installer package_status
        Outputs for example:
        Check_Point_R77_hotfix_sk95245.tgz - Downloading (2.95 MB/s)   - Progress: 6%
        Check_Point_R77_hotfix_sk95245.tgz - Available for install
        
      6. See the list of available packages for install:

        HostName> show installer available_local_packages

      7. Install this hotfix:

        HostName> installer install Check_Point_R77_hotfix_sk95245.tgz

      8. Check the installation progress by repeatedly running this command:

        HostName> show installer package_status
        Outputs for example:
        Check_Point_R77_hotfix_sk95245.tgz - Installing                - Progress: 3%
        Check_Point_R77_hotfix_sk95245.tgz - installed
        
      9. Machine will be rebooted automatically.

    Contact Check Point Support for any assistance.



  • Show / Hide instructions - Gaia / SecurePlatform OS

    Contact Check Point Support for any assistance.

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download the relevant hotfix package:

      Platform R77
      Gaia / SecurePlatform (TGZ)


    3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

    4. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar zxvf Check_Point_R77_hotfix_sk95245.tgz

    5. Install the hotfix:

      [Expert@HostName]# ./fw1_wrapper_HOTFIX_GULLI_HF1_990035004_2

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    6. Reboot the machine.

 

How to uninstall the hotfix

  • Show / Hide instructions

    1. Connect to command line on Security Gateway / each cluster member (over SSH, or console).

    2. Log in to Expert mode.

    3. Run the uninstall script:

      [Expert@HostName]# ./opt/CPsuite-R77/uninstall_fw1_wrapper_HOTFIX_GULLI_HF1

    4. Reboot the machine.

     

    Files replaced by the hotfix

  • Show / Hide files

    • $FWDIR/bin/fwssd
    • $FWDIR/lib/libfw_kern26_18_splat_i686_us.so
    • $FWDIR/lib/libfw_kern26_18_splat_i686_usv6.so
    • $FWDIR/boot/modules/fwmod.2.6.18.cp.i686.o
    • $FWDIR/boot/modules/fwmod.2.6.18.cp.i686.noPAE.o
    • $FWDIR/boot/modules/fwmod.2.6.18.cp.x86_64.o
    • $FWDIR/boot/modules/fw6mod.2.6.18.cp.i686.o
    • $FWDIR/boot/modules/fw6mod.2.6.18.cp.i686.noPAE.o
    • $FWDIR/boot/modules/fw6mod.2.6.18.cp.x86_64.o
  • Applies To:
    • 01226393 , 01230559 , 00265149 , 01381018

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment