Web & Files Protection

This category includes URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF., Download (web) Emulation & Extraction, Credential Protection, Safe Search and Files Protection.

URL Filtering

URL Filtering rules define which sites you can access in your organization. The URL Filtering policy is composed of the selected sites and the mode of operation applied to them.

Note: URL Filtering is not supported with SmartEndpointClosed A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies..

To create the URL Filtering policy:

  1. Select the URL Filtering mode of operation:

    • Prevent - Currently supported only in Hold mode. The request to enter a site is suspended until a verdict regarding the site is received.

    • Detect - Allows access if a site is determined as malicious, but logs the traffic.

    • Off - URL Filtering is disabled.

  2. Select the categories to which the URL Filtering policy applies:

    1. Go to Web & Files Protection > Advanced Settings > URL Filtering > Categories.

    2. Select the required categories:

      Note - For each category, click Edit to see the sub-categories you can select.

    3. Click OK.

  3. Optional: You can select specific URLs to which access is denied. See Blacklisting.

  4. If you want Harmony Endpoint to verify and filter all the URLs accessed by an application or a process, select the Enable Network URL Filtering checkbox. Otherwise, URL filtering is applied only to the URLs accessed through a browser.

The selected mode of operation now applies to the selected categories.

The user can access any site which was not selected in one of the categories or which was not blacklisted.

You can Allow user to dismiss the URL Filtering alert and access the website - This option is selected by default. This lets you access a site determined as malicious, if you think that the verdict is wrong. To do this, go to Advanced Settings > URL Filtering.

Blacklisting

You can define specific URLs or domains as blacklisted. These URLs/domains will be blocked automatically, while other traffic will be inspected by the URL Filtering rules. You can add the URLs/domain names manually or upload a CSV file with the URLs/domain names you want to include in the blacklist.

To add a URL to the blacklist:

  1. Go to Advanced SettingsURL Filtering > BlacklistEdit.

  2. In the URLs pane, for each required URL, enter the URL and click the + sign

  3. click OK.

Notes:

You can use * and ? as wildcards for blacklisting.

  • * is supported with any string. For example: A* can be ADomain or AB or AAAA.

  • ? is supported with another character. For example, A? can be AA or AB or Ab.

To search for a URL:

  1. Go to Advanced SettingsURL Filtering > BlacklistEdit.

  2. In the search box, enter the required URL.

    The search results appear in the URLs pane.

    You can edit or delete the URL.

To import URLs from an external source:

  1. Go to Advanced SettingsURL Filtering > BlacklistEdit.

  2. Next to the search box, click the sign (import domains list from a 'csv' file).

  3. Find the required file and click Open.

  4. Click OK.

To export a list of URLs to from the Endpoint Security Management Server to an external source:

  1. Go to Advanced SettingsURL Filtering > BlacklistEdit.

  2. Next to the search box, click the sign (export domains list to a 'csv' file).

  3. Click OK.

Download (Web) Emulation & Extraction

Harmony Endpoint browser protects against malicious files that you download to your device. For the browsers supported with the Harmony Endpoint Browser extension, see Harmony Browse Administration Guide.

Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. detects zero-day and unknown attacks. Files on the endpoint computer are sent to a sandbox for emulation to detect evasive zero-day attacks. The following files types are supported:

Threat Emulation Supported File Types

7z

aspx3

app1

arj

bat
bz2
CAB

csv

com

cpl

dll
doc
docx
dot
dotx
dotm
docm

dmg1

dylib1
exe
gz
hwp
iso

img1
iqy
jar

lnk

msi1

msg1

O1

one2

pif

pdf

pkg1

ppt

pptx

pps

pptm

potx

potm

ppam

ppsx

ppsm

ps1

qcow21

rar

rtf

sh1

scr

sldx

sldm

slk
swf
tar

tbz2

tbz

tb2

tgz

udf

uue
wim

wsf2

xar2
xlt
xls
xlsx
xlm
xltx
xlsm
xltm
xlsb
xla
xlam
xll
xlw
xz
zip

Notes:

  • 1 These file types are supported only with Harmony Endpoint Security Client version E87.40 and higher.

  • 2 These file types are supported only with Harmony Endpoint Security Client version E87.60 and higher.

  • 3 These file types are supported only with Harmony Endpoint Security Client version E88.10 and higher.

Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. proactively protects users from malicious content. It quickly delivers safe files while the original files are inspected for potential threats.

To see the list of file types which are supported by Threat Emulation and Threat Extraction, go to Advanced Settings > Threat Emulation > Override Default File Actions > Edit.

These are the configuration options for supported file types:

  • Prevent - Send files for emulation and extraction. For further configuration for supported files, go to Advanced Settings > Supported Files:

    • Get extracted copy before emulation completes - You can select one of these two options. The system appends .cleaned to the file name. For example, xxx.cleaned.

      • Extract potential malicious elements - The file is sent in its original file type but without malicious elements. Select which malicious parts to extract. For example, macros, Java scripts and so on.

      • Convert to PDF - Converts the file to PDF, and keeps text and formatting.

        Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly.

    • Suspend download until emulation completes - The user waits for Threat Emulation to complete. If the file is benign, the gateway sends the original file to the user. If the file is malicious, the gateway presents a Block page and the user does not get access to the file. This option gives you more security, but may cause time delays in downloading files. The system downloads the file with the original file name.

    • Emulate original file without suspending access - The gateway sends the original file to the user (even if it turns out eventually that the file is malicious).

    • Allow - All supported files are allowed without emulation. This setting overrides the Prevent setting selected in the main page.

  • Detect - Emulates original file without suspending access to the file and logs the incident. The file is blocked if it is malicious or blocked by file extension (Advanced Settings > Download Protection). If not, the file is downloaded before the emulation is complete.

  • Off - Allow file. No emulation or extraction is done. The download of all supported files is allowed.

Unsupported Files

File types which are not supported by Threat Emulation and Threat Extraction. Unsupported files types can be allowed or blocked. To configure, go to Advanced Settings > Download Protection > Unsupported Files. The settings selected here override the settings selected in the main page.

Additional Emulation Settings:

Emulation Environments

To define the maximum size of files that are sent for emulation, go to Advanced Settings > Download Protection > Emulation Environments and specify the file size for Upload and emulate files under.

Note - Only the Endpoint Security ClientClosed Application installed on end-user computers to monitor security status and enforce security policies. version E86.40 and higher support a maximum file size up to 50 MB. Client versions lower than E86.40 support a maximum file size up to 15 MB.

To select the operating system images on which the emulation is run, go to Advanced Settings > Download Protection > Emulation Environments, and select one of these options:

Override Default Files Actions

Harmony Endpoint allows you to override the default file action for the supported and unsupported files.

To override the default file actions, navigate to Advanced Settings > Download Protection > Override default file actions (download).

To override the file action for supported files:

  1. In the Supported Files section, click Edit.

  2. Select the File action and Extraction Mode.

  3. Click OK.

To override the file action for unsupported files:

  1. In the Unsupported Files section, click Edit.

    1. To add a file type, click and enter the File type.

    2. To edit a file type, select the file type and click .

    3. To delete a file type, select the file type and click .

  2. Select the Download action for the file:

  3. (Optional) In the Comments field, enter a comment.

  4. Click OK.

Custom Settings

Download Emulation and Extraction

Block downloads when emulation fails - Select the checkbox to block download of a file if the Threat Emulation of the file fails due to technical reasons, such as file size limit, no internet connectivity and invalid licenses.

Credential Protection

This protection includes two components:

Zero Phishing

Phishing prevention checks different characteristics of a website to make sure that a site does not pretend to be a different site and use personal information maliciously.

There are three configuration options for this protection:

  • Prevent - If the site is determined to be a phishing site, users cannot access the site. A log is created for each malicious site.

  • Detect - When a user uses a malicious site, a log is created.

  • Off - Phishing prevention is disabled.

For further configuration of the Zero PhishingClosed Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. protection, go to Advanced Settings > Credential Protection:

  • Allow user to dismiss the phishing alert and access the website - Users can select to use a site that was found to be malicious.

  • Send log on each scanned site - Send logs for each site that users visit, whether malicious or not.

  • Allow user to abort phishing scans - Users can stop the phishing scan before it is completed.

  • Scan local HTML files - By default, the Harmony Endpoint extension in Chromium-based browsers (Chrome, Microsoft Edge, and Brave) cannot access the local HTML files opened by the browser to scan them for phishing attacks. This setting prompts users to grant permission to Chromium-based browsers to access and scan local HTML files on your PC.

    Notes:

    • You can customize the prompt page. For more information, seeCustomized Browser Block Pages.

    • This feature is not supported with Safari and Internet Explorer browser extensions.

    • This feature is supported with the Endpoint Security Client version E86.50 and higher.

    To grant permission to access and scan the local HTML files:

    1. When a user opens a local HTML file, the Harmony Browse request access to file URLs prompt appears. Click Click to copy.

    2. Paste the copied path in the address bar of the Chrome browser and press Enter.

    3. Scroll down and turn on Allow access to file URLs.

    4. If the HTML file has an input field, Harmony Browse scans the file and blocks it, if identified as phishing.

  • Disable notifications - Allows you to disable the browser zero-phishing scan notification that appears when users try to enter in an input field.

    Note - Only the notification is disabled but the browser zero-phishing scan is performed in the background indicated by the yellow highlight around the input field.

Password Reuse Protection

Alerts users not to use their corporate password in non-corporate domains.

Notes:

  • Make sure that the full active directory is synchronized. For more information, see Full Active Directory Sync.

  • Make sure that the endpoint is added to the domain.

To set the Password Reuse mode:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

  3. In the Web & Files Protection tab, under Password Reuse, select a mode:

    • Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.

    • Detect & Alert - Blocks the user from entering the corporate password and opens the blocking page in a new tab and allows the user to dismiss the blocking page and continue to enter the corporate password.

      Notes:

      • This option is available only in older releases of Harmony Endpoint. In the newer releases, it is deprecated by Prevent mode.

      • If you enable this option, then Harmony Endpoint automatically disables Allow users to dismiss the password reuse alert and access the website.

    • Detect mode - The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.

    • Off - Turns off password reuse protection.

  4. For Advanced Settings, see Credential Protection.

For further configuration options for password reuse protection, go to Advanced Settings > Credential Protection > Password Reuse Protection > Edit > Protected Domains:

Add domains for which Password Reuse Protection is enforced.Harmony Endpoint keeps a cryptographic secure hash of the passwords used in these domains and compares them to passwords entered outside of the protected domains.

Safe Search

Search Reputation

Search Reputation is a feature added to search engines that classifies search results based on URL's reputation.

Notes:

  • It is supported only with Google, Bing, and Yahoo search engines.

  • To enable this feature, ensure that you set URL Filtering Mode to either Prevent or Detect.

To set the Search Reputation mode:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule.

  3. In the Web & Files Protection tab, under Search Reputation, select a mode:

    • On - Turns on the feature.

    • Off -Turns off the feature.

When you enable this feature, the icon across the URL in the search results indicate the classification:

Icon

Classification

The website is safe.

Example:

The website is not safe.

Example:

The website is blocked by the Administrator.

Example:

Note - If the Search Reputation cannot classify a URL, then it does not display an icon across the URL. If you want such URLs to be classified and blocked, then enable the Uncategorized checkbox in URL Filtering > Categories > General Use. The Search Reputation classifies Uncategorized URLs as The website is blocked by the Administrator.

Force Safe Search

Force Safe Search is a feature in search engines that acts as an automated filter for potentially offensive and inappropriate content.

To set the Force Search Reputation mode:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule.

  3. In the Web & Files Protection tab, under Force Safe Search, select a mode:

    • On - Hides explicit content from the search results.

    • Off - User sees the most relevant results for their search, which may include explicit content like images consisting of violence.

Main features:

  • When ‘Force Safe Search’ is on, Harmony Browse turns on Safe Search on the supported search engines.

  • It is supported with Google, Bing, and Yahoo search engines.

  • Force Safe Search is off by default.

  • Force Safe Search is supported with Google Chrome, and Microsoft Edge browsers.

Files Protection

Protects the files on the file system. This protection has two components:

  • Anti-Malware Mode - Protection of your network from all kinds of malware threats, ranging from worms and Trojans to adware and keystroke loggers. Use Anti-MalwareClosed A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. to manage the detection and treatment of malware on your endpoint computers.

    There are three configuration options for this protection:

    • Prevent - Protects your files from malware threats.

    • Detect - Detects the threats, so they appear in the logs, although the virus or malware are still executable. Use this mode with caution.

    • Off - No protection from malware.

    Notes -

    • Starting from the Endpoint Security Client E83.20, Check Point certified the E2 client version (the Anti-Malware engine is DHS compliant) for Cloud deployments.

    • The E1 Anti-Malware blade can scan these archive file formats:

      • ZIP

      • Z

      • LZIP

      • 7Z

      • RAR

      • ISO

      • CAB

      • JAR

      • BZIP2

      • GZIP

      • DMG

      • XAR

      • TAR

      • ACE

    • The E2 DHS Anti-Malware blade can scan these archive file formats:

      • ZIP

      • Z

      • 7Z

      • RAR

      • ISO

      • CAB

      • JAR

      • BZIP2

      • GZIP

      • DMG

      • XAR

      • TAR

      • ACE

  • Files Threat Emulation Mode - Emulation of files on the system.

    There are three configuration options for this protection:

    • Prevent - Detects a malicious file, logs the event and deletes the file.

    • Detect - Detects a malicious file and logs the event.

    • Off - Files Threat Emulation mode is off. Does not run the Threat Emulation on the file.

    This is supported with Endpoint Security client version E86.80 and higher.

  • Advanced Capabilities - You can set an action for each of these capabilities separately:

    Note - This is supported only with the Harmony Endpoint Security client version E88.30 and higher.

    Advanced Capability

    Description
    ThreatCloud Reputation Verifies the reputation of files based on their hash in the Check Point's ThreatCloud.
    Offline Reputation Verifies the reputation of files based on their hash against data stored locally on the Harmony Endpoint client. The data is updated based on the most common hashes accessed in the ThreatCloud Reputation database. Enables verification when a Harmony Endpoint client is working offline and not connected to the network.
    Office Files Performs static analysis¹ on Microsoft Office files.
    Executables Files Performs static analysis¹ on executable files.
    DDL Files Performs static analysis¹ on DLL files.

    ¹Analyzes files without executing them against data models to identify potentially malicious files.

    The supported actions are:

    • Prevent - Detects a malicious file, logs the event and deletes the file.

    • Detect - Detects a malicious file and logs the event.

    • Off - No protection from malicious file.

    For more information, see Advanced Capabilities.

    To enable Advanced Capabilities:

    1. Go to Policy > Threat Prevention > Policy Capabilities.

    2. Select a rule.

    3. In the Web & Files Protection tab, in the Advanced Capabilities list, select On.

    Note - To view the set action for each capability, click See status.

Advanced Settings

Files Protection

To configure the advanced settings for files protection, go to Advanced Settings > Files Protections.

General

  • Malware Treatment - The malware treatment options let you select what happens to malware that is detected on a client computer:

    • Quarantine file if cure failed - If Endpoint Security cannot repair the file, it is deleted and put in a secure location from where it can be restored if necessary.

    • Delete file if cure failed - If Endpoint Security cannot repair the file, it is deleted.

  • Riskware Treatment - Riskware is a legal software that might be dangerous.

    • Treat as malware - Use the option selected for Malware.

    • Skip file - Do not treat riskware files.

    • Detect unusual activity - Use behavior detection methods to protect computers from new threats whose information were not added to the databases yet. It does not monitor trusted processes.

    • Enable reputation service for files, web resources & processes - Use cloud technologies to improve precision of scanning and monitoring functions. If you enable or disable this setting, it takes affect after the client computer restarts.

      Connection timeout - Change the maximum time to get a response from Reputation Services (in milliseconds). Default is 600.

      Note - If you decrease this value, it can improve the performance of the Anti-Malware component but reduces security, as clients might not get a reputation status that shows an item to be zero-day malware.

    • Enable web protection - Prevents access to suspicious sites and execution of malicious scripts Scans files, and packed executables transferred over HTTP, and alerts users if malicious content is.found.

  • Threat Cloud Knowledge Sharing - To share infected information, statistics and infected file samples with Check Point for analysis, select any of these:

    • Allow sending infection info and statistics to Check Point servers for analysis

    • Allow sending infected file samples to Check Point servers for analysis

    Note - This is supported only with a DHS compliant Harmony Endpoint Security client.

  • Mail Protection - Enable or disable scans of email messages when they are passed as files across the file system.

Signature

  • Signature Sources

    • External Check point Signature Server - Get updates from a dedicated, external Check Point server through the internet.

    • Other External Source - Get updates from an external source through the internet. Enter the URL.

  • Shared signature source - Get updates from a shared location on an Endpoint Security client that acts as a Shared Signature Server. This solution is curated for Virtual Desktop Infrastructure (VDI) environments, but can be leveraged for other scenarios as well. This makes it possible to protect non-persistent virtual desktops in Virtual Desktop Infrastructure (VDI) environments. Each non-persistent virtual desktop runs an Endpoint Security, and gets Anti-Malware and Threat Prevention signatures from a shared folder on the Shared Signature Server that is a persistent virtual machine.

    • Second Priority - Set a fallback update source to use if the selected update source fails. Select a different option than the first signature source.

    • Third Priority - Set a fallback update source to use if the other sources fail.

    Note - If only update from local Endpoint Servers is selected, clients that are disconnected from an Endpoint Security server cannot get updates.

  • Shared Signature Server - To set the server as a Shared Signature Server, select the Set as shared signature server checkbox and enter the local path of the folder. For example, C:\Signatures. For more information, see Shared Signatures Server.

Scan

Anti-Malware scans computers for malware at regular intervals to make sure that suspicious files are treated, quarantined, or deleted.

  • Perform Periodic Scan - Select one of these options to define the frequency of the scans:

    • Every Month- Select the day of the month on which the scan takes place and the Scan start hour.

    • Every Week - Select the day of the week on which the scan takes place and the Scan start hour.

    • Every Day - Select the scan start hour.

    • Scan on Idle - Specify the idle time duration for the endpoint. The Harmony Endpoint Security client initiates the initial or periodic Anti-Malware scan only when the endpoint remains idle for the specified duration. If the device is not idle, the scan is postponed for 24 hours. After this 24-hour period, the Harmony Endpoint Security client initiates the initial or periodic Anti-Malware scan, irrespective of whether the device is idle or in use.

    Note - Scan on Idle is not supported with the DHS compliant Anti-Malware blade.

    Optional :

    • Randomize scan time - Mandatory for Virtual Desktop Infrastructure (VDI). Select this option to make sure that not all computers do a scan for malware at the same time. This makes sure that network performance is not affected by many simultaneous scans. In Start scan and End scan, specify the time range during which the scan can start and end.

    • Run initial scan after the Anti-Malware blades installation.

    • Allow user to cancel scan.

    • Prohibit cancel scan if more than X Days passed since last successful scan.

  • Scan Targets - Select the target for the Anti-Malware scan:

    • Critical areas

    • Optical drives

    • Local drives

    • Mail messages

    • Removable drives

    • Unrecognized devices

    • Network devices

    Notes:

    • Mail messages is not supported with the DHS compliant Anti-Malware blade in macOS.

    • Critical areas is supported with the DHS compliant Anti-Malware blade from E88.00 and higher.

  • Scan Target Exclusions - Select the checkboxes to skip scanning of certain files.

    • Skip archives and non executables - Skips scanning of archive file formats (for example, .zip, 7zip, tar.gz, rar, and so on) and non-executable files (files without the execute permission).

      Note - Skip archives and non executables are not supported with the DHS compliant Anti-Malware blade.

    • Do not scan files larger than - Specify the file size limit. If the file size is larger than the specified limit, then the system skips scanning the file. The default file size limit is 20 MB.

      Note - The maximum supported file size for the Anti-Malware scan depends on the endpoint's system specifications, such as CPU, RAM and so on.

Threat Emulation

You can define the default file action for threat emulation.

To override the default file actions:

  1. In the Override Default Files Actions section, click Edit.

  2. From the File action list, select an action.

  3. Click OK.

Advanced Capabilities

In the Advanced Capabilities window, select an action for these capabilities:

  • ThreatCloud Reputation

  • Offline Reputation

  • Static Analysis:

    • Office Files

    • Executables Files

    • DDL Files

Browser Settings

Starting from the Harmony Endpoint Security client E87.10, the extension is pinned to the browser by default for users.

Note - You can unpin the extension only on Chromium browsers, such as Chrome, Edge and Brave. You cannot unpin an extension in Firefox.

To allow users to unpin the browser extension, clear Always pin the browser extension to the tool bar under Pin Extension.