Getting Started with Anti-Bot and Anti-Virus

Anti-Bot and Anti-Virus Licensing and Contracts

Make sure that each gateway has a Security Gateway license and an Anti-Bot contract and/or Anti-Virus contracts. For clusters, make sure you have a contract and license for each cluster member.

New installations and upgraded installations automatically receive a 30 day trial license and updates. Contact your Check Point representative to get full licenses and contracts.

If you do not have a valid contract for a gateway, the Anti-Bot blade and/or Anti-Virus blade is disabled. When contracts are about to expire or have already expired, you will see warnings. Warnings show in:

The Messages and Actions section of the Overview pane of the Anti-Bot and Anti-Virus tab.
The Check Point User Center when you log in to your account.

SmartDashboard Toolbar

You can use the SmartDashboard toolbar to do these actions:

Icon	Description
	Open the SmartDashboard menu. When you are instructed to selected menu options, click this button first. For example, if you are instructed to select Manage > Users and Administrators, click this button to open the Manage menu and then select the Users and Administrators option.
	Save current policy and all system objects.
	Open a policy package, which is a collection of policies saved together with the same name.
	Refresh policy from the Security Management Server.
	Open the Database Revision Control window.
	Change global properties.
	Verify rule base consistency.
	Install the policy on Security Gateways or VSX Gateways.
	Open SmartConsoles.

Enabling the Anti-Bot and Anti-Virus Software Blades

Enable one or more of these Software Blades on a Security Gateway: Anti-Bot and Anti-Virus.

To enable the Software Blades:

In SmartDashboard, right-click the gateway object and select Edit.
The Gateway Properties window opens.
In Network Security tab, select Anti-Bot, Anti-Virus, or both of them.
The Anti-Bot and Anti-Virus First Time Activation window opens.
Select one of the activation mode options:
- According to policy - Enable the Anti-Bot and Anti-Virus Software Blades and use the profile settings in the Anti-Bot and Anti-Virus policy.
- Detect only - Packets are allowed, but the traffic is logged according to the settings in the Rule Base.
Click OK and then install the policy.

Check Point Information

To help improve Check Point Anti-Bot and Anti-Virus products, the Security Gateway automatically sends anonymous information about feature usage, infection details, and product customizations to Check Point. The Security Gateway does not collect, process, or send any personal data.

Participating in Check Point information collection is a unique opportunity for Check Point customers to be a part of a strategic community of advanced security research. Your participation in this network allows you to contribute data to Check Point for security research. This research aims to improve coverage, quality, and accuracy of security services and obtain valuable information for organizations.

Data Check Point Collects

When you enable information collection, the Check Point Security Gateway collects and securely submits event IDs, URLs, and external IPs to the Check Point Lab regarding potential security risks.

For example:

<entry engineType="3" sigID="-1" attackName="CheckPoint - Testing Bot" sourceIP="7a1ec646fe17e2cd" destinationIP="d8c8f142" destinationPort="80" host="www.checkpoint.com" path="/za/images/threatwiki/pages/TestAntiBotBlade.html" numOfAttacks="20" />

The above is an example of an event that was detected by a Check Point Security Gateway. It includes the event ID, URL, and external IP addresses. Note that the above data does not contain any confidential information or internal resource information. The source IP address is obscured. Information sent to the Check Point Lab is stored in an aggregated form.

You can disable information collection by clearing the Check Point Information checkbox in the Security Gateway object > Anti-Bot and Anti-Virus node window.

Creating an Anti-Bot and Anti-Virus Policy

Create and manage the policy for the Anti-Bot and Anti-Virus Software Blades in the Anti-Bot and Anti-Virus tab of SmartDashboard. The policy shows the profiles set for network objects or locations defined as a protected scope.

The Overview pane gives an overview of your policy and traffic.
The Policy pane contains your Rule Base, which is the primary component of your Anti-Bot and Anti-Virus policy. Click the Add Rule buttons to get started.
Look through the Threat Wiki to learn about malware and bots.

Creating Rules

Here are examples of how to create different types of rules.

Blocking Bots and Viruses

Scenario: I want to block bots and viruses in my organization. How can I do this?

To block bots and viruses in your organization:

In the Gateway properties page, select the Anti-Bot Software Blade and configure the activation setting to According to the Anti-Bot and Anti-Virus policy.
Select the Anti-Virus Security Gateway.
In the Anti-Bot and Anti-Virus tab of SmartDashboard, open the Policy pane.
Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
Make a rule that includes these components:
- Name - Give the rule a name such as Block Bot and Virus Activity.
- Protected Scope - The list of network objects you want to protect. In this example, the Any network object is used.
- Action - The Profile that contains the protection settings you want. The default profile is Recommended_Profile.
- Track - The type of log you want to get when detecting malware on this scope. In this example, keep Log and also select Packet Capture to capture the packets of malicious activity. In SmartView Tracker, you will then be able to view the actual packets.
- Install On - Keep it as All or choose specified gateways to install the rule on.

Monitoring Bot Activity

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

To monitor all bot activity:

In the Anti-Bot and Anti-Virus tab of SmartDashboard, open the Policy pane.
Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
Make a rule that includes these components:
- Name - Give the rule a name such as Monitor Bot Activity.
- Protected Scope - Keep Any so the rule applies to all traffic in the organization.
- Action - Right-click in the Action cell and select New Profile. Create a profile where all confidence level settings are configured to Detect.
  - Select the Performance Impact - In this example, Medium or lower. This profile will detect all protections that can be identified as an attack of some sort with low, medium or high confidence and have a medium or lower performance impact.
  - Set this profile as the Action for the rule.
- Track - Keep Log.
- Install On - Keep it as All or choose specified gateways to install the rule on.

Disabling a Protection on a Specified Server

Scenario: The protection Backdoor.Win32.Agent.AH detects malware on a server (Server_1). How can I disable this protection for this server only?

To add an exception to a rule:

In the Anti-Bot and Anti-Virus tab of SmartDashboard, open the Policy pane.
Click the rule that contains the scope of Server_1.
Click the Add Exception toolbar button to add the exception under the rule. The first exception matched is applied.
Make a rule exception that includes these components:
- Name - Give the exception a name such as Exclude.
- Scope - Change it to Server_1 so that it applies to all detections on the server.
- Protection - Click the plus sign in the cell to open the Protections viewer. Select the protection to exclude and click OK.
- Action - Keep it as Detect.
- Track - Keep it as Log.
- Install On - Keep it as All or choose specified gateways to install the rule on.

Name	Protected Scope	Protection	Action	Track
Monitor Bot Activity	Any	- n/a	Recommended_Profile	Log
Exclude	Server_1	Backdoor.Win32.Agent.AH	Detect	Log

Installing the Policy

The Anti-Bot and Anti-Virus Software Blades have a dedicated policy. The Anti-Bot and Anti-Virus policy installation is separate from the general policy installation of the other Software Blades.

This lets you update the Anti-Bot and Anti-Virus policy Rule Base as necessary according to newly discovered threats to receive immediate coverage. It also minimizes operational impact.

To install the Anti-Bot and Anti-Virus policy:

From the Anti-Bot and Anti-Virus tab > Policy pane, click Install Policy.
Select the relevant options:
- Install Anti-Bot & Anti-Virus Policy on all gateways - Installs the policy on all gateways enabled with Anti-Bot and Anti-Virus.
- Install Anti-Bot & Anti-Virus Policy on selected gateways - Select the relevant gateways.
- Install on each selected gateway independently - Enables you to install the policy on selected gateways. If you choose to install the policy on selected gateways, at the same time you can install on all gateway cluster members. This indicates that the installation process will verify that all cluster members can enforce the policy being installed.
- Install on all selected gateways, if it fails do not install on gateways of the same version - Enables you to install the policy on selected gateways or on all gateways.
Click OK.

Top of Page

Download Complete PDF

Send Feedback