Malware Detection

Overview

Malware Detection helps identify and prevent the spread of malicious content by scanning files and monitoring threat indicators using Check Point Malware engines. The system performs automated file scanning across SaaS services, allowing organizations to define custom scanning policies applied to specific users or groups. It helps prevent the spread of harmful files, reduces the risk of data breaches, and can automatically alert or remove infected files to maintain a secure environment.

File scanning is performed in near real-time and is triggered by:

• Adding a new file

• Editing an existing file

Supported Integrations:

• Box

• Dropbox

• Google Drive

• Microsoft SharePoint

• Microsoft OneDrive

• Jira

• Salesforce

• Slack

Prerequisites

Before creating Malware or DLP policies, ensure the following configurations are completed:

1. Integration Manager

   Connect the relevant SaaS service through the Integration Entity (SaaS application, plug-in, API key, and so on) that facilitate the integration of the host service with the linked service. Manager.

   To access Integration Manager:

   1. Click Integration Manager on the top right.

   2. Connect to the required integration (Box, Dropbox, Google Drive, etc.).

   3. Integrations with an active connection display a green checkmark.

      

2. Identity Provider (IdP) Configuration

   Attach your IdP configuration to sync users and groups for policy creation.

   Note - The IdP connection is established through Check Point's Identity and Trust. The initial configuration must be completed in Identity and Trust. For more information, see the Identity and Trust Administration Guide. The Settings page displays the existing IdP connection.

   To configure IdP:

   1. From the left menu, navigate to Settings.

   2. In the Identity Provider Integration section, select your IdP configuration.

   3. Click Refresh Sources to synchronize the IdP hierarchy.

   4. Click Sync now to synchronize users and groups.

      

3. Domains Configuration

   Add your organization's domains so SaaS can distinguish internal users from external ones for sharing purposes. Any domain you do not add to this list is automatically treated as external.

   Define organizational domains to identify external sharing.

   To configure domains:

   1. From the left menu, navigate to Settings.

   2. In the Domains Configuration section, click Add domain.

   3. Enter the domain names you want to define as internal.

   

Note - These prerequisites apply to both DLP and Malware detection features and need to be configured only once.

Malware Policy Management

The Malware Policy page is organized by service (Google Drive, Jira, Microsoft, Salesforce, etc.). Each service displays:

• Total number of rules

• Number of active rules

• A collapsed/expandable view of all rules

When expanded, each service shows a detailed table of existing rules:

Column	Description
#	Indicates the rule’s position in the evaluation order.
Rule name	Name of the Malware policy rule.
Applied to	Users or groups the policy applies to.
Actions	Action taken when malware is detected (Detect only, Delete)
Last modified	Date and time of the last rule modification.
Status	Toggle switch of the rule status (Active/Inactive).

Policy Execution Logic:

• Policies follow a first match rule - when a file matches multiple policies, only the first matching policy is executed.

• Policy order is critical and can be adjusted using drag and drop.

Available Actions:

• Create new - Create a new policy rule

• Edit - Modify an existing rule

• Delete - Remove a rule permanently

• Clone - Duplicate a rule (only within the same service)

• Export - Export policy configurations

• Drag and drop - Reorder policies to change execution priority

Creating a Malware Policy

To create a new Malware policy:

1. From the left menu, navigate to Policy > Malware.

2. Click Create new.

3. In the Create new Malware policy rule window that opens, select the service you want to monitor from:

   • All Integrations - Shows all available services.

   • Connected - Shows services with active integrations.

   • Not Connected - Shows supported services not yet integrated. To connect such service, click it and start the Integration Manager.

   The page for creating a new rule opens.

4. Configure the rule settings:

   1. Rule name - Enter a descriptive name for the rule.

   2. Description (optional) - Add additional context about the rule's purpose.

   3. Status - Set rule status (Default: Active).

   4. Scope - Specify which organizational areas this policy applies to:

      • Search and select specific user groups from your IDP

      • Entire organization

   5. Action - Choose what happens when malware is detected:

      • Detect only - Identify and report files with malware without taking action.

      • Remediate - Automatically delete files containing malware.

      Note - The Delete action is currently available only for Microsoft and Google services.

      

5. Optionally, you can copy settings from an existing rule.

   1. Click Import settings.

   2. Select an existing rule to copy its settings. This action imports only relevant settings and you have to configure manually the rule name, description, and action.

6. Click Create Rule to save and activate the policy. The new rule appears in the service's policy table.

Managing Policies

Select any rule or click the info icon (i) to open a side panel with the rule details:

• General information (Status, Created date, Last modified, Service Host service (platform, application, interface) that provides certain services to other services.).

• Description.

• Applied to (users/groups).

• Action configuration.

Editing a Policy:

• From the policy table, click Edit or open the side panel and click Edit.

• This opens the policy configuration screen in edit mode.

Activating/Deactivating a Policy:

• Toggle the Active/Inactive switch in the Status column or use the toggle in the side panel.

• Inactive policies are not enforced but remain configured.

Cloning a Policy:

• Click Clone to duplicate an existing rule.

• Cloning is only available within the same service (cannot clone across different services).

• Modify the cloned rule as needed.

Deleting a Policy:

• Click Delete to permanently remove a rule.

• Deleted policies cannot be recovered.

Reordering Policies:

• Use drag and drop to change the order of policies.

Important - Policies follow first match logic, so the order matters

 

For information on malware events, see File Protection Events.

For information on malware dashboard, see File Protection Dashboard.