Web & Files Protection

This category includes Download (web) Emulation & Extraction, Credential Protection and Files Protection.

URL Filtering

URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. rules define which sites you can access in your organization. The URL Filtering policy is composed of the selected sites and the mode of operation applied to them.

Note:

SmartEndpointClosed A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies. does not support the new capability. It is only supported for web users.

To create the URL Filtering policy:

  1. Select the URL Filtering mode of operation:

    • Prevent - Currently supported only in Hold mode. The request to enter a site is suspended until a verdict regarding the site is received.

    • Detect - Allows access if a site is determined as malicious, but logs the traffic.

    • Off -URL Filtering is disabled.

  2. Select the categories to which the URL Filtering policy applies:

    1. Go to Web & Files Protection > Advanced Settings > URL Filtering > Categories.

    2. Select the required categories:

      Note - For each category, click Edit to see the sub-categories you can select.

    3. Click OK.

  3. Optional: You can select specific URLs to which access is denied. See Blacklisting.

  4. If you want Harmony Endpoint to verify and filter all the URLs accessed by an application or a process, select the Enable Network URL Filtering checkbox. Otherwise, URL filtering is applied only to the URLs accessed through a browser.

The selected mode of operation now applies to the selected categories.

The user can access any site which was not selected in one of the categories or which was not blacklisted.

You can Allow user to dismiss the URL Filtering alert and access the website - This option is selected by default. This lets you access a site determined as malicious, if you think that the verdict is wrong. To do this, go to Advanced Settings > URL Filtering.

Blacklisting

You can define specific URLs or domains as blacklisted. These URLs/domains will be blocked automatically, while other traffic will be inspected by the URL Filtering rules. You can add the URLs/domain names manually or upload a CSV file with the URLs/domain names you want to include in the blacklist.

To add a URL to the blacklist:

  1. Go to Advanced SettingsURL Filtering > BlacklistEdit.

  2. In the URLs pane, for each required URL, enter the URL and click the + sign

  3. click OK.

Notes:

You can use * and ? as wildcards for blacklisting.

  • * is supported with any string. For example: A* can be ADomain or AB or AAAA.

  • ? is supported with another character. For example, A? can be AA or AB or Ab.

To search for a URL:

  1. Go to Advanced SettingsURL Filtering > BlacklistEdit.

  2. In the search box, enter the required URL.

    The search results appear in the URLs pane.

    You can edit or delete the URL.

To import URLs from an external source:

  1. Go to Advanced SettingsURL Filtering > BlacklistEdit.

  2. Next to the search box, click the sign (import domains list from a 'csv' file).

  3. Find the required file and click Open.

  4. Click OK.

To export a list of URLs to from the Endpoint Security Management Server to an external source:

  1. Go to Advanced SettingsURL Filtering > BlacklistEdit.

  2. Next to the search box, click the sign (export domains list to a 'csv' file).

  3. Click OK.

Download (Web) Emulation & Extraction

Harmony Endpoint browser protects against malicious files that you download to your device. For the browsers supported with the Harmony Endpoint Browser extension, see Harmony Browse Administration Guide.

Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. detects zero-day and unknown attacks. Files on the endpoint computer are sent to a sandbox for emulation to detect evasive zero-day attacks.

Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. proactively protects users from malicious content. It quickly delivers safe files while the original files are inspected for potential threats.

To see the list of file types which are supported by Threat Emulation and Threat Extraction, go to Advanced Settings > Threat Emulation > Override Default File Actions > Edit.

These are the configuration options for supported file types:

  • Prevent - Send files for emulation and extraction. For further configuration for supported files, go to Advanced Settings > Supported Files:

    • Get extracted copy before emulation completes - You can select one of these two options:

      • Extract potential malicious elements - The file is sent in its original file type but without malicious elements. Select which malicious parts to extract. For example, macros, Java scripts and so on.

      • Convert to PDF - Converts the file to PDF, and keeps text and formatting.

        Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly.

    • Suspend download until emulation completes - The user waits for Threat Emulation to complete. If the file is benign, the gateway sends the original file to the user. If the file is malicious, the gateway presents a Block page and the user does not get access to the file. This option gives you more security, but may cause time delays in downloading files.

    • Emulate original file without suspending access - The gateway sends the original file to the user (even if it turns out eventually that the file is malicious).

    • Allow - All supported files are allowed without emulation. This setting overrides the Prevent setting selected in the main page.

  • Detect - Emulate original file without suspending access to the file and log the incident.

  • Off - Allow file. No emulation or extraction is done. The download of all supported files is allowed.

Unsupported Files

File types which are not supported by Threat Emulation and Threat Extraction. Unsupported files types can be allowed or blocked. To configure, go to Advanced Settings > Download Protection > Unsupported Files. The settings selected here override the settings selected in the main page.

Additional Emulation Settings:

Emulation Environments

To define the maximum size of files that are sent for emulation, go to Advanced Settings > Download Protection > Emulation Environments

To select the operating system images on which the emulation is rrun, go to Advanced Settings > Download Protection > Emulation Environments, and select one of these options:

  • Use Check Point recommended emulation environments

  • Use the following emulation environments - Select other images for emulation, that are closest to the operating systems for the computers in your organization

Override Default Files Actions

You can override the default actions for specific file types. Go to Advanced Settings > Threat Emulation > Override Default Files Actions > Edit.

In Override Default Files Actions, you can also see the current number of overrides.

Credential Protection

This protection includes two components:

Zero Phishing

Phishing prevention checks different characteristics of a website to make sure that a site does not pretend to be a different site and use personal information maliciously.

There are three configuration options for this protection:

  • Prevent - If the site is determined to be a phishing site, users cannot access the site. A log is created for each malicious site.

  • Detect - When a user uses a malicious site, a log is created.

  • Off - Phishing prevention is disabled.

For further configuration of the Zero PhishingClosed Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. protection, go to Advanced Settings > Credential Protection:

  • Allow user to dismiss the phishing alert and access the website - Users can select to use a site that was found to be malicious.

  • Send log on each scanned site - Send logs for each site that users visit, whether malicious or not.

  • Allow user to abort phishing scans - Users can stop the phishing scan before it is completed.

Password Reuse Protection

Alerts users not to use their corporate password in non-corporate domains.

You can configure password reuse protection using these options:

  • Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.

  • Detect mode - The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.

  • Off - Disables password reuse protection.

For further configuration options for password reuse protection, go to Advanced Settings > Credential Protection > Password Reuse Protection > Edit > Protected Domains:

Add domains for which Password Reuse Protection is enforced.Harmony Endpoint keeps a cryptographic secure hash of the passwords used in these domains and compares them to passwords entered outside of the protected domains.

Safe Search

Search Reputation

Search Reputation is a feature added to search engines that classifies search results based on URL's reputation.

Notes:

  • It is supported only with the Google search engine.

  • To enable this feature, ensure that you set URL Filtering Mode to either Prevent or Detect.

When you enable this feature, the icon across the URL in the search results indicate the classification:

Icon

Classification

The website is safe.

Example:

The website is not safe.

Example:

The website is blocked by the Administrator.

Example:

Note - If the Search Reputation cannot classify a URL, then it does not display an icon across the URL. If you want such URLs to be classified and blocked, then enable the Uncategorized checkbox in URL Filtering > Categories > General Use. The Search Reputation classifies Uncategorized URLs as The website is blocked by the Administrator.

Force Safe Search

Force Safe Search is a feature in search engines that acts as an automated filter for potentially offensive and inappropriate content.

When Force Safe Search is on, it helps hide explicit content from the search results.

When Force Safe Search is off, the user sees the most relevant results for their search, which may include explicit content like images consisting of violence.

Main features:

  • When ‘Force Safe Search’ is on, Harmony Browse turns on Safe Search on the supported search engines.

  • Supported search engines are: Google, Bing and Yahoo.

  • Force Safe Search is off by default.

  • Force Safe Search is supported in the following browsers: Google Chrome, Microsoft Edge.

Files Protection

Protects the files on the file system. This protection has two components:

  • Anti-Malware Mode - Protection of your network from all kinds of malware threats, ranging from worms and Trojans to adware and keystroke loggers. Use Anti-MalwareClosed A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. to manage the detection and treatment of malware on your endpoint computers.

    There are three configuration options for this protection:

    • Prevent - Protects your files from malware threats.

    • Detect - Detects the threats, so they appear in the logs, although the virus or malware are still executable. Use this mode with caution.

    • Off - No protection from malware.

    Notes -

    • Starting from E83.20 Endpoint Security client, Check Point certified the E2 client version (the Anti-Malware engine is based on Sophos as opposed to Kaspersky) for Cloud deployments.

    • The E1 Anti-Malware blade (Kaspersky) can scan these archive file formats:

      • ZIP

      • Z

      • LZIP

      • 7Z

      • RAR

      • ISO

      • CAB

      • JAR

      • BZIP2

      • GZIP

      • DMG

      • XAR

      • TAR

      • ACE

    • The E2 Anti-Malware blade (Sophos) can scan these archive file formats:

      • ZIP

      • Z

      • 7Z

      • RAR

      • ISO

      • CAB

      • JAR

      • BZIP2

      • GZIP

      • DMG

      • XAR

      • TAR

      • ACE

  • Files Threat Emulation Mode - Emulation of files on the system.

Advanced Settings for Files Protection

To configure the advanced settings for files protection, go to Advanced Settings > Files Protections.

General

  • Malware Treatment - The malware treatment options let you select what happens to malware that is detected on a client computer:

    • Quarantine file if cure failed - If Endpoint Security cannot repair the file, it is deleted and put in a secure location from where it can be restored if necessary.

    • Delete file if cure failed - If Endpoint Security cannot repair the file, it is deleted.

  • Riskware Treatment - Riskware is a legal software that might be dangerous.

    • Treat as malware - Use the option selected for Malware.
    • Skip file - Do not treat riskware files.

    • Detect unusual activity - Use behavior detection methods to protect computers from new threats whose information were not added to the databases yet. It does not monitor trusted processes.

    • Enable reputation service for files, web resources & processes - Use cloud technologies to improve precision of scanning and monitoring functions. If you enable or disable this setting, it takes affect after the client computer restarts.

      Connection timeout - Change the maximum time to get a response from Reputation Services (in milliseconds). Default is 600.

      Note - If you decrease this value, it can improve the performance of the Anti-Malware component but reduces security, as clients might not get a reputation status that shows an item to be zero-day malware.

    • Enable web protection - Prevents access to suspicious sites and execution of malicious scripts Scans files, and packed executables transferred over HTTP, and alerts users if malicious content is.found.

  • Mail Protection - Enable or disable scans of email messages when they are passed as files across the file system.

Signature

  • Signature Sources

  • Shared signature source - Get updates from a shared location on an Endpoint Security client that acts as a Shared Signature Server. This solution is curated for Virtual Desktop Infrastructure (VDI) environments, but can be leveraged for other scenarios as well. This makes it possible to protect non-persistent virtual desktops in Virtual Desktop Infrastructure (VDI) environments. Each non-persistent virtual desktop runs an Endpoint Security, and gets Anti-Malware and Threat Prevention signatures from a shared folder on the Shared Signature Server that is a persistent virtual machine.

    • Second Priority - Set a fallback update source to use if the selected update source fails. Select a different option than the first signature source.

    • Third Priority - Set a fallback update source to use if the other sources fail.

    Note - If only update from local Endpoint Servers is selected, clients that are disconnected from an Endpoint Security server cannot get updates.

  • Shared Signature Server - To set the server as a Shared Signature Server, select the Set as shared signature server checkbox and enter the local path of the folder. For example, C:\Signatures. For more information, see Shared Signatures Server.

Scan

Anti-Malware scans computers for malware at regular intervals to make sure that suspicious files are treated, quarantined, or deleted.

  • Perform Periodic Scan - Select one of these options to define the frequency of the scans:

    • Every Month- Select the day of the month on which the scan takes place and the Scan start hour.

    • Every Week - Select the day of the week on which the scan takes place and the Scan start hour.

    • Every Day - Select the scan start hour.

    Optional :

    • Randomize scan time - Mandatory for Virtual Desktop Infrastructure (VDI). Select this option to make sure that not all computers do a scan for malware at the same time. This makes sure that network performance is not affected by many simultaneous scans. In Start scan and End scan, specify the time range during which the scan can start and end.

    • Run initial scan after the Anti-Malware blades installation.

    • Allow user to cancel scan.

    • Prohibit cancel scan if more than days passed since last successful scan.