Getting Started with Anti-Bot and Anti-Virus
Anti-Bot and Anti-Virus Licensing and Contracts
Make sure that each gateway has a Security Gateway license and an Anti-Bot contract and/or Anti-Virus contracts. For clusters, make sure you have a contract and license for each cluster member.
New installations and upgraded installations automatically receive a 30 day trial license and updates. Contact your Check Point representative to get full licenses and contracts.
If you do not have a valid contract for a gateway, the Anti-Bot blade and/or Anti-Virus blade is disabled. When contracts are about to expire or have already expired, you will see warnings. Warnings show in:
- The Messages and Actions section of the Overview pane of the Anti-Bot and Anti-Virus tab.
- The Check Point User Center when you log in to your account.
SmartDashboard Toolbar
You can use the SmartDashboard toolbar to do these actions:
Icon
|
Description
|
|
Open the SmartDashboard menu.
When you are instructed to selected menu options, click this button first.
For example, if you are instructed to select > , click this button to open the Manage menu and then select the Users and Administrators option.
|
|
Save current policy and all system objects.
|
|
Open a policy package, which is a collection of policies saved together with the same name.
|
|
Refresh policy from the Security Management Server.
|
|
Open the Database Revision Control window.
|
|
Change global properties.
|
|
Verify rule base consistency.
|
|
Install the policy on Security Gateways or VSX Gateways.
|
|
Open SmartConsoles.
|
Enabling the Anti-Bot and Anti-Virus Software Blades
Enable one or more of these Software Blades on a Security Gateway: Anti-Bot and Anti-Virus.
To enable the Software Blades:
- In SmartDashboard, right-click the gateway object and select .
The window opens.
- In tab, select , or both of them.
The window opens.
- Select one of the activation mode options:
- - Enable the Anti-Bot and Anti-Virus Software Blades and use the profile settings in the Anti-Bot and Anti-Virus policy.
- - Packets are allowed, but the traffic is logged according to the settings in the Rule Base.
- Click and then install the policy.
Check Point Information
To help improve Check Point Anti-Bot and Anti-Virus products, the Security Gateway automatically sends anonymous information about feature usage, infection details, and product customizations to Check Point. The Security Gateway does not collect, process, or send any personal data.
Participating in Check Point information collection is a unique opportunity for Check Point customers to be a part of a strategic community of advanced security research. Your participation in this network allows you to contribute data to Check Point for security research. This research aims to improve coverage, quality, and accuracy of security services and obtain valuable information for organizations.
Data Check Point Collects
When you enable information collection, the Check Point Security Gateway collects and securely submits event IDs, URLs, and external IPs to the Check Point Lab regarding potential security risks.
For example:
<entry engineType="3" sigID="-1" attackName="CheckPoint - Testing Bot" sourceIP="7a1ec646fe17e2cd" destinationIP="d8c8f142" destinationPort="80" host="www.checkpoint.com" path="/za/images/threatwiki/pages/TestAntiBotBlade.html" numOfAttacks="20" />
The above is an example of an event that was detected by a Check Point Security Gateway. It includes the event ID, URL, and external IP addresses. Note that the above data does not contain any confidential information or internal resource information. The source IP address is obscured. Information sent to the Check Point Lab is stored in an aggregated form.
You can disable information collection by clearing the checkbox in the object > node window.
Creating an Anti-Bot and Anti-Virus Policy
Create and manage the policy for the Anti-Bot and Anti-Virus Software Blades in the Anti-Bot and Anti-Virus tab of SmartDashboard. The policy shows the profiles set for network objects or locations defined as a protected scope.
- The Overview pane gives an overview of your policy and traffic.
- The Policy pane contains your Rule Base, which is the primary component of your Anti-Bot and Anti-Virus policy. Click the Add Rule buttons to get started.
- Look through the Threat Wiki to learn about malware and bots.
Creating Rules
Here are examples of how to create different types of rules.
Blocking Bots and Viruses
Scenario: I want to block bots and viruses in my organization. How can I do this?
To block bots and viruses in your organization:
- In the Gateway properties page, select the Software Blade and configure the activation setting to .
- Select the Security Gateway.
- In the tab of SmartDashboard, open the pane.
- Click one of the toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
- Make a rule that includes these components:
- - Give the rule a name such as .
- The list of network objects you want to protect. In this example, the network object is used.
- The Profile that contains the protection settings you want. The default profile is .
- The type of log you want to get when detecting malware on this scope. In this example, keep and also select to capture the packets of malicious activity. In SmartView Tracker, you will then be able to view the actual packets.
- - Keep it as or choose specified gateways to install the rule on.
Monitoring Bot Activity
Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?
To monitor all bot activity:
- In the tab of SmartDashboard, open the pane.
- Click one of the toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
- Make a rule that includes these components:
- - Give the rule a name such as .
- Keepso the rule applies to all traffic in the organization.
- Right-click in the Action cell and select . Create a profile where all confidence level settings are configured to .
- Select the - In this example, . This profile will detect all protections that can be identified as an attack of some sort with low, medium or high confidence and have a medium or lower performance impact.
- Set this profile as the for the rule.
- Keep .
- - Keep it as or choose specified gateways to install the rule on.
Disabling a Protection on a Specified Server
Scenario: The protection Backdoor.Win32.Agent.AH detects malware on a server (Server_1). How can I disable this protection for this server only?
To add an exception to a rule:
- In the tab of SmartDashboard, open the pane.
- Click the rule that contains the scope of Server_1.
- Click the toolbar button to add the exception under the rule. The first exception matched is applied.
- Make a rule exception that includes these components:
- - Give the exception a name such as .
- Change it to so that it applies to all detections on the server.
- - Click the plus sign in the cell to open the Protections viewer. Select the protection to exclude and click .
- Keep it as .
- - Keep it as .
- - Keep it as or choose specified gateways to install the rule on.
Name
|
Protected Scope
|
Protection
|
Action
|
Track
|
Monitor Bot Activity
|
Any
|
- n/a
|
Recommended_Profile
|
Log
|
Exclude
|
Server_1
|
Backdoor.Win32.Agent.AH
|
Detect
|
Log
|
Installing the Policy
The Anti-Bot and Anti-Virus Software Blades have a dedicated policy. The Anti-Bot and Anti-Virus policy installation is separate from the general policy installation of the other Software Blades.
This lets you update the Anti-Bot and Anti-Virus policy Rule Base as necessary according to newly discovered threats to receive immediate coverage. It also minimizes operational impact.
To install the Anti-Bot and Anti-Virus policy:
- From the tab > pane, click .
- Select the relevant options:
- Installs the policy on all gateways enabled with Anti-Bot and Anti-Virus.
- - Select the relevant gateways.
- - Enables you to install the policy on selected gateways. If you choose to install the policy on selected gateways, at the same time you can install on all gateway cluster members. This indicates that the installation process will verify that all cluster members can enforce the policy being installed.
- - Enables you to install the policy on selected gateways or on all gateways.
- Click .
|