Web & Files Protection
This category includes URL Filtering, Download (web) Emulation & Extraction, Credential Protection, Safe Search and Files Protection.
URL Filtering
URL Filtering rules define which sites you can access in your organization. The URL Filtering policy is composed of the selected sites and the mode of operation applied to them.
To create the URL Filtering policy:
Go to Policy > Threat Prevention > Policy Capabilities.
In the Capabilities & Exclusions pane, select Web & Files Protection.
In the Web & Files Protection tab, scroll-down to URL Filtering.
-
Select the URL Filtering Mode of operation:
Prevent - Currently supported only in Hold mode. The request to enter a site is suspended until a verdict regarding the site is received.
Detect - Allows access if a site is determined as malicious, but logs the traffic.
Off - URL Filtering is disabled.
-
Select the categories to which the URL Filtering policy applies:
Go to Web & Files Protection > Advanced Settings > URL Filtering > Categories.
-
Select the required categories:
Bandwidth Consumption
Media Streams
File Storage and Sharing
P2P File Sharing
Media Sharing
General Use
Computers / Internet
Education
Entertainment
Financial Services
Government / Military
Greeting Cards
Health
Political / Legal
Job Search / Careers
News / Media
Newsgroups / Forums
Uncategorized
Real Estate
Recreation
Religion
Restaurants / Dining / Food
Sex Education
Shopping
Alcohol & Tobacco
Art / Culture
Blogs / Personal Pages
Business / Economy
Software Downloads
Sports
Translation
Travel
Vehicles
Fashion
Non-profits & NGOs
General
Nature / Conservation
URL Filtering
Lifestyle
Lingerie and Swimsuit / Suggestive
Very Low Risk
Low Risk
Email
Web Advertisements
Search Engines / Portals
Legal Liability / Regulatory Compliance
Gambling
Hacking
Hate / Racism
Illegal / Questionable
Illegal Drugs
Nudity
Pornography
Tasteless
Violence
Weapons
Sex
Child Abuse
Marijuana
Productivity
Personals / Dating
Instant Messaging
Games
Social Networking
Instant Chat Service
Phishing
Spyware / Malicious Sites
Botnets
Spam
Inactive Sites
Suspicious Content
Medium risk
High risk
Critical risk
Anonymizer
Note:For each category, click Edit to see the sub-categories you can select. You can either select the whole category or some sub-categories as per the requirement. Click OK.
(Optional) You can select specific URLs to which access is denied. See Deny List.
-
Configure Network URL Filtering:
To verify and filter all the URLs accessed by an application or a process, select Enable Network URL Filtering. If this option is not selected, the URL filtering is applied only to the URLs accessed through a browser.
-
To disable Endpoint Security client notifications for network URL filtering, select Disable Network URL filtering pop-up notifications if they originate from a browser session.
Note:This option is applicable only when the Endpoint Security Browser extension is installed in the client device.
The selected mode of operation now applies to the selected categories. The user can access any site which was not selected in one of the categories or which was not in the Deny List.
You can Allow user to dismiss the URL Filtering alert and access the website - This option is selected by default. This lets you access a site determined as malicious, if you think that the verdict is wrong. To do this, go to Advanced Settings > URL Filtering.
Deny List
You can add specific URLs or domains to the Deny List which blocks the users from accessing them. These URLs/domains will be blocked automatically, while other traffic will be inspected by the URL Filtering rules.
You can add the URLs/domain names manually or upload a CSV file with the URLs/domain names you want to include in the deny list.
To add a URL to the Deny List:
Go to Advanced Settings > URL Filtering > Deny List > Edit.
In the URLs pane, for each required URL, enter the URL and click the + sign click OK.
You can use * and ? as wildcards for the deny list.
*is supported with any string. For example:A*can beADomainorABorAAAA.?is supported with another character. For example,A?can beAAorABorAb.
To search for a URL:
Go to Advanced Settings > URL Filtering > Deny List > Edit.
In the search box, enter the required URL. The search results appear in the URLs pane. You can edit or delete the URL.
To import URLs from an external source:
Go to Advanced Settings > URL Filtering > Deny List > Edit.
Next to the search box, click the sign (import domains list from a CSV file).
Find the required file and click Open.
Click OK.
To export a list of URLs to from the Endpoint Security Management Server to an external source:
Go to Advanced Settings > URL Filtering > Deny List > Edit.
Next to the search box, click the sign (export domains list to a CSV file).
Click OK.
Download (Web) Emulation & Extraction
Endpoint Security browser protects against malicious files that you download to your device. For the browsers supported with the Endpoint Security Browser extension, see Browse Security Administration Guide.
Threat Emulation detects zero-day and unknown attacks. Files on the endpoint computer are sent to a sandbox for emulation to detect evasive zero-day attacks. The following files types are supported:
Threat Emulation Supported File Types
7z aspx3 app1 arj bat bz2 CAB csv com cpl dll doc docx dot dotx dotm docm dmg1 dylib1 exe gz hwp iso img1 iqy jar lnk msi1 msg1 O1 one2 pif pdf pkg1 ppt pptx pps pptm potx potm ppam ppsx ppsm ps1 qcow21 rar rtf sh1 scr sldx sldm slk swf tar tbz2 tbz tb2 tgz udf uue wim wsf2 xar2 xlt xls xlsx xlm xltx xlsm xltm xlsb xla xlam xll xlw xz zip
1 These file types are supported only with Endpoint Security Client version E87.40 and higher.
2 These file types are supported only with Endpoint Security Client version E87.60 and higher.
3 These file types are supported only with Endpoint Security Client version E88.10 and higher.
Threat Extraction proactively protects users from malicious content. It quickly delivers safe files while the original files are inspected for potential threats.
To see the list of file types which are supported by Threat Emulation and Threat Extraction:
Go to Policy > Threat Prevention > Policy Capabilities.
In the Capabilities & Exclusions pane, select Web & Files Protection.
In the Web & Files Protection tab, go to Advanced Settings > Threat Emulation > Override Default File Actions > Edit.
These are the configuration options for supported file types:
-
Prevent - Send files for emulation and extraction. For further configuration for supported files, go to Advanced Settings > Supported Files:
-
Get extracted copy before emulation completes - You can select one of these two options.
The system appends
.cleanedto the file name. For example,xxx.cleaned.Extract potential malicious elements - The file is sent in its original file type but without malicious elements. Select which malicious parts to extract. For example, macros, Java scripts and so on.
Convert to PDF - Converts the file to PDF, and keeps text and formatting.
Tip:Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly. Suspend download until emulation completes - The user waits for Threat Emulation to complete. If the file is benign, the gateway sends the original file to the user. If the file is malicious, the gateway presents a Block page and the user does not get access to the file. This option gives you more security, but may cause time delays in downloading files. The system downloads the file with the original file name.
Emulate original file without suspending access - The gateway sends the original file to the user (even if it turns out eventually that the file is malicious).
-
Allow - All supported files are allowed without emulation. This setting overrides the Prevent setting selected in the main page.
Detect - Emulates original file without suspending access to the file and logs the incident. The file is blocked if it is malicious or blocked by file extension (Advanced Settings > Download Protection). If not, the file is downloaded before the emulation is complete.
Off - Allow file. No emulation or extraction is done. The download of all supported files is allowed.
Unsupported Files
File types which are not supported by Threat Emulation and Threat Extraction.
Unsupported files types can be allowed or blocked. To configure, go to Advanced Settings > Download Protection > Unsupported Files. The settings selected here override the settings selected in the main page.
Additional Emulation Settings: Emulation Environments
To define the maximum size of files that are sent for emulation, go to Advanced Settings > Download Protection > Emulation Environments and specify the file size for Upload and emulate files under.
To select the operating system images on which the emulation is run, go to Advanced Settings > Download Protection > Emulation Environments, and select one of these options:
Use Check Point recommended emulation environments
Use the following emulation environments - Select other images for emulation, that are closest to the operating systems for the computers in your organization. This is supported only if configured from the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.
Override Default Files Actions
Endpoint Security allows you to override the default file action for the supported and unsupported files.
To override the default file actions, navigate to Advanced Settings > Download Protection > Override default file actions (download).
To override the file action for supported files:
In the Supported Files section, click Edit.
Select the File action and Extraction Mode.
Click OK.
To override the file action for unsupported files:
In the Unsupported Files section, click Edit.
-
To add a file type, click and enter the File type.
To edit a file type, select the file type and click.
To delete a file type, select the file type and click.
-
Select the Download action for the file:
Default - The action specified in Unsupported Files.
Allow
Block
(Optional) In the Comments field, enter a comment.
Click OK.
Custom Settings Download Emulation and Extraction
Block downloads when emulation fails due to size limit or connectivity problem - Select the checkbox to block download of a file if the Threat Emulation of the file fails due to technical reasons, such as file size limit, no internet connectivity and invalid licenses.
Block downloads when emulation fails due to file encryption - Select the checkbox to block download of a file if the Threat Emulation of the file fails to extract the file due to the file encryption.
Credential Protection
To configure the credential protection policy:
Go to Policy > Threat Prevention > Policy Capabilities.
In the Capabilities & Exclusions pane, select Web & Files Protection.
In the Web & Files Protection tab, scroll-down to Credential Protection.
This protection includes two components:
Zero Phishing
Phishing prevention checks different characteristics of a website to make sure that a site does not pretend to be a different site and use personal information maliciously.
There are three configuration options for this protection:
Prevent - If the site is determined to be a phishing site, users cannot access the site. A log is created for each malicious site.
Detect - When a user uses a malicious site, a log is created.
Off - Phishing prevention is disabled.
For further configuration of the Zero Phishing protection, go to Advanced Settings > Credential Protection:
Allow user to dismiss the phishing alert and access the website - Users can select to use a site that was found to be malicious.
Send log on each scanned site - Send logs for each site that users visit, whether malicious or not.
Allow user to abort phishing scans - Users can stop the phishing scan before it is completed.
-
Scan local HTML files - By default, the Endpoint Security extension in Chromium-based browsers (Chrome, Microsoft Edge, and Brave) cannot access the local HTML files opened by the browser to scan them for phishing attacks. This setting prompts users to grant permission to Chromium-based browsers to access and scan local HTML files on your PC.
Note:You can customize the prompt page. For more information, see Customized Browser Block Pages.
This feature is not supported with Safari and Internet Explorer browser extensions.
This feature is supported with the Endpoint Security Client version E86.50 and higher.
To grant permission to access and scan the local HTML files:
When a user opens a local HTML file, the Browse Security request access to file URLs prompt appears.
Click Click to copy.
Paste the copied path in the address bar of the Chrome browser and press Enter.
Scroll down and turn on Allow access to file URLs.
If the HTML file has an input field, Browse Security scans the file and blocks it, if identified as phishing.
-
Disable notifications - Allows you to disable the browser zero-phishing scan notification that appears when users try to enter in an input field.
Note:Only the notification is disabled but the browser zero-phishing scan is performed in the background indicated by the yellow highlight around the input field.
Password Reuse Protection
Alerts users not to use their corporate password in non-corporate domains.
To set the Password Reuse mode:
Go to Policy > Threat Prevention > Policy Capabilities.
Select the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.
In the Capabilities & Exclusions pane, select Web & Files Protection.
In the Web & Files Protection tab, scroll-down to Credential Protection.
-
In the Credential Protection section, under Password Reuse, select a mode:
Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.
-
Detect & Alert - Blocks the user from entering the corporate password and opens the blocking page in a new tab and allows the user to dismiss the blocking page and continue to enter the corporate password.
Note:This option is available only in older releases of Endpoint Security. In the newer releases, it is deprecated by Prevent mode.
If you enable this option, then Endpoint Security automatically disables Allow users to dismiss the password reuse alert and access the website.
Detect mode - The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the logs.
Off - Turns off password reuse protection.
For Advanced Settings, see Credential Protection.
For further configuration options for password reuse protection, click Edit > Protected Domains:
Add domains for which Password Reuse Protection is enforced. Endpoint Security keeps a cryptographic secure hash of the passwords used in these domains and compares them to passwords entered outside of the protected domains.
Safe Search
Safe Search includes Search Reputation and Force Safe Search.
Search Reputation
Search Reputation is a feature added to search engines that classifies search results based on URL's reputation.
It is supported only with Google, Bing, and Yahoo search engines.
To enable this feature, ensure that you set URL Filtering Mode to either Prevent or Detect.
To set the Search Reputation mode:
Go to Policy > Threat Prevention > Policy Capabilities.
Select the rule.
In the Capabilities & Exclusions pane, select Web & Files Protection.
-
In the Web & Files Protection tab, scroll-down to Search Reputation section and select a mode:
On - Turns on the feature.
Off - Turns off the feature.
When you enable this feature, the icon across the URL in the search results indicate the classification:
| Icon | Classification |
|---|---|
| The website is safe. Example: | |
| The website is not safe. Example: | |
| The website is blocked by the Administrator. Example: |
Force Safe Search
Force Safe Search is a feature in search engines that acts as an automated filter for potentially offensive and inappropriate content.
To set the Force Search Reputation mode:
Go to Policy > Threat Prevention > Policy Capabilities.
Select the rule.
-
In the Web & Files Protection tab, under Force Safe Search, select a mode:
On - Hides explicit content from the search results.
Off - User sees the most relevant results for their search, which may include explicit content like images consisting of violence.
Main features:
When ‘Force Safe Search’ is on, Browse Security turns on Safe Search on the supported search engines.
It is supported with Google, Bing, and Yahoo search engines.
Force Safe Search is off by default.
Force Safe Search is supported with Google Chrome, and Microsoft Edge browsers.
Files Protection
Protects the files on the file system.
To configure the Files Protection policy:
Go to Policy > Threat Prevention > Policy Capabilities.
In the Capabilities & Exclusions pane, select Web & Files Protection.
In the Web & Files Protection tab, scroll-down to Files Protection.
This protection has two components:
Anti-Malware Mode
Protection of your network from all kinds of malware threats, ranging from worms and Trojans to adware and keystroke loggers.
Use Anti-Malware A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. to manage the detection and treatment of malware on your endpoint computers.
There are three configuration options for this protection:
Prevent - Protects your files from malware threats.
Detect - Detects the threats, so they appear in the logs, although the virus or malware are still executable. Use this mode with caution.
Off - No protection from malware.
The E1 Anti-Malware blade can scan these archive file formats:
ZIP Z LZIP 7Z RAR ISO CAB JAR BZIP2 GZIP DMG XAR TAR ACE
The E2 DHS Anti-Malware blade can scan these archive file formats:
ZIP Z 7Z RAR ISO CAB JAR BZIP2 GZIP DMG XAR TAR ACE
Files Threat Emulation Mode
Emulation of files on the system.
There are three configuration options for this protection:
Prevent - Detects a malicious file, logs the event and deletes the file.
Detect - Detects a malicious file and logs the event.
Off - Files Threat Emulation mode is off. Does not run the Threat Emulation on the file.
This is supported with Endpoint Security client version E86.80 and higher.