Configuring the Threat Prevention Policy

Note - For Managed Security Service Providers (MSSP), Harmony Endpoint allows you to create Threat Prevention policy templates and attach them to the child accounts. For more information, see Templates for Child Accounts.

Unified Policy

Harmony Endpoint introduces the unified policy for the Endpoint components.

The unified policy lets you control all security components in a single policy. The policy is composed of a set of rules. Each rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the policy defines the scope which the rule applies to and the activated components. This is different from the policy Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. in SmartEndpoint A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies., where each component has its own set of rules.

A Default Policy rule which applies to the entire organization is predefined in your Policy tab.Policy > Threat Prevention > Policy Capabilities.

Each new rule you create, has pre-defined settings, which you can then edit in the right section of the screen.

The Threat Prevention policy contains these capabilities which you can edit:

• Web & Files Protection

• Behavioral Protection

• Analysis & Remediation

The Threat Prevention policy contains device rules and user rules.

• You can use user objects only in the user policy, and you can use device objects only in the device policy.

• There is no default rule for the user policy.

• User rules override device rules.

• You can use the same group in user and device rules at the same time.

• If a group contains both users and devices, the rule is implemented according to the policy in which the rule is included.

To enable user policy, go to the Endpoint Settings view > Policy Operation Mode, and select Mixed mode.

Parts of the Policy Rule Base

Column	Description
Rule Number	The sequence of the rules is important because the first rule that matches traffic according to the protected scope is applied.
Rule Name	Give the rule a descriptive name.
Applied to	The protected scope, to which the rule applies.
Mode	The policy mode applicable to the rule.
Web & Files Protection	The configurations that apply to Download Protection, Credential Protection and Files Protection.
Behavioral Protection	The configurations apply to Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Ransomware and Anti-Exploit protections.
Analysis & Response	The configurations that apply to attack analysis and Remediation.
Client Version	Version number of the Initial Client that you downloaded.

Threat Prevention Policy Toolbar

Policy Mode

Policy mode allows you to:

• Quickly configure a Threat Prevention policy by selecting a predefined policy mode (Detect only, Tuning and Optimized). Check Point automatically sets the appropriate operation mode (Detect, Prevent, Off) and Advanced Settings options for each capability.

• Manually set the operation mode (Detect, Prevent, Off) and Advanced Settings options for each capability (Custom).

Notes: The Detect only mode provides the basic protection. We recommend that you use the Detect only policy mode for the first few days to gather, monitor and analyze the data. Based on the analysis, you must switch to Tuning, Optimized or configure a Custom policy mode for enhanced protection. If you use the Detect only policy mode for the Default settings for the entire organization rule (default) for more than two days, the system shows a banner as a reminder to configure a stricter policy mode. If you click Dismiss, the system stops the notification only for you while it continues to appears for other users. If you modify a predefined policy mode, it automatically changes to Custom.

To select a mode for a policy:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the policy in the table.

3. In the Capabilities and Exclusion pane, from the Policy Mode list:

   • Select a predefined mode:

     • Detect only

     • Tuning

     • Optimized

     The table shows the appropriate operation mode set for each capability for a policy mode.

     Web & File Protection

     Capability	Policy Mode
     	Tuning	Detect only	Optimized
     URL Filtering	Detect	Detect	Prevent
     Download Protection	Detect	Detect	Prevent
     Zero Phishing	Detect	Detect	Prevent
     Password Reuse	Detect	Detect	Prevent
     Search Reputation	Off	Off	On
     Force Safe Search	Off	Off	On
     Anti-Malware A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. Mode	Prevent	Detect	Detect
     Files Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. Mode	Prevent	Off	Prevent
     Advanced Capabilities	N/A	N/A	N/A
     Advanced Settings
     URL Filtering	Allow user to dismiss the URL Filtering alert and access the website is disabled. Under Categories, Service is selected. Under Malicious Script Protection: Block websites where Malicious Scripts are found embedded in the HTML is selected. Allow user to dismiss the Malicious Scripts alert and access the website is disabled.		Allow user to dismiss the URL Filtering alert and access the website is selected. Under Categories, Service is selected. Under Malicious Script Protection: Block websites where Malicious Scripts are found embedded in the HTML is selected. Allow user to dismiss the Malicious Scripts alert and access the website is selected.
     Download Protection	Under Supported files, Emulate original file without suspending access is selected. Under Unsupported files, Allow Download is selected. Under Emulation Environments: Upload and emulate files under 50 MB is selected. Use Check Point recommended emulation environments is selected.		Under Supported files: Get extracted copy before emulation completes is selected. Extract potential malicious elements is selected. Under Unsupported files, Allow Download is selected. Under Emulation Environments: Upload and emulate files under 50 MB is selected. Use Check Point recommended emulation environments is selected.
     Credential Protection	Under Zero Protection, Allow user to dismiss the phishing alert and access the website is disabled. Under Password Reuse, Allow users to dismiss the password reuse alert and access the website is disabled.		Under Zero Protection, Allow user to dismiss the phishing alert and access the website is selected. Under Password Reuse, Allow users to dismiss the password reuse alert and access the website is selected.
     Files Protection - General	Under Malware Treatment, Quarantine file if cure failed is selected. Under Riskware Treatment, Treat as malware is selected. Under Threat Cloud Knowledge Sharing, Allow sending infection info and statistics to Check Point servers for analysis is selected. Under Scan on Access: Detect unusual Activity is selected. Enable reputation service for files, web resources and processes is selected. Connection timeout 600 ms. Under Mail Protection, Scan mail messages is selected.
     Files Protection - Signature	Under Frequency: Update signatures every 10 hours. Signature update will fail after every 60 seconds without server response.	Under Frequency: Update signatures every 11 hours. Signature update will fail after every 60 seconds without server response.	Under Frequency: Update signatures every 2 hours. Signature update will fail after every 60 seconds without server response.
     	Under Signature Sources: First Priority: External CheckPoint Signature Server. Second Priority: N/A Third Priority: N/A
     Files Protection - Scan	Run initial scan after Anti-Malware blades installation is selected. Allow user to cancel scan is selected. Prohibit cancel scan if more than 30 Days passed since last successful scan is selected. Under Scan targets: Critical areas is selected. Local drives is selected. Mail messages is selected. Under Scan Target Exclusions: Skip archives and non executables is selected. Do not scan files larger than 20 MB is selected.		Run initial scan after Anti-Malware blades installation is selected. Under Scan targets: Critical areas is selected. Local drives is selected. Mail messages is selected. Under Scan Target Exclusions: Skip archives and non executables is selected. Do not scan files larger than 20 MB is selected.
     Advanced Capabilities	N/A	N/A	N/A

     Behavioral Protection

     Capability	Policy Mode
     	Tuning	Detect only	Optimized
     Anti Bot	Prevent	Detect	Detect
     Behavioral Guard & Anti Ransomware	Off	Detect	Prevent
     Anti Exploit	Off	Detect	Prevent
     Advanced Settings
     Anti Bot	Under Background Protection Mode, Background - connections are allowed until threat check is complete is selected. Hours to suppress logs for same bot protection is set to 1. Days to remove bot reporting after is set to 3. Under Confidence Level: High Confidence is set to Detect. Medium Confidence is set to Detect. Low Confidence is set to Detect.
     Behavioral Guard & Anti Ransomware	Anti-Ransomware Maximum backup size on disk is disabled. Backup Time Interval is disabled. Under Disk Usage, Maximum Forensics Database size on disk is disabled.	Anti-Ransomware Maximum backup size on disk is set to 1025 MB. Backup Time Interval is set to 60 Minutes. Under Disk Usage, Maximum Forensics Database size on disk is set to 1 GB.

     Analysis & Remediation

     Capability	Policy Mode
     	Tuning	Detect only	Optimized
     Protection Mode	Always	Always	Always
     Enable Threat Hunting Behavioral Guard & Anti Ransomware	On	On	On
     Remediation & Response	Never	Never	Medium & High
     Advanced Settings
     File Quarantine	Under File Quarantine: File Quarantine is set to Never. Allow users to delete items from quarantine is disabled. Allow users to restore items from quarantine is disabled. Copy quarantine files to central location is disabled. Choose location is disabled. Quarantine folder name is disabled.		Under File Quarantine: File Quarantine is set to Medium & High. Choose location is disabled. Enter the location of the Quarantine folder name.
     File Remediation	Under File Remediation: Malicious Files is set to Quarantine. Suspicious Files is set to Quarantine. Unknown Files is set to Quarantine. Trusted Files is set to Ignore.		Under File Remediation: Malicious Files is set to Quarantine. Suspicious Files is set to Quarantine. Unknown Files is set to Quarantine. Trusted Files is set to Terminate.

   • Select Custom and set the operation mode manually. For more information, see Web & Files Protection.

4. Click Save.

5. Click Save & Install.

Updating a Predefined Policy Mode

Based on internal analysis and research, Check Point may suitably modify the operation mode or Advanced Settings of a predefined policy mode. If a predefined mode is updated, a notification appears.

• Click Align to accept the updates. The system automatically updates to the new settings for the predefined mode.

• Click Keep to retain the current settings. The policy mode changes to Custom.