Managing Threat Prevention

In This Section: Threat Prevention Blade Control Threat Prevention Exceptions Infected Hosts IPS Protections List Threat Prevention Engine Settings Anti-Spam Blade Control Anti-Spam Exceptions

This section describes how to set up and manage the Intrusion Prevention System (IPS), Anti-Virus, Anti-Bot, Threat Emulation, and Anti-Spam blades.

Threat Prevention Blade Control

In the Threat Prevention > Threat Prevention Blade Control page you can activate:

• Intrusion Prevention System (IPS). This blocks potentially malicious attempts to exploit known vulnerabilities in files and network protocols.
• Anti-Virus. This blocks potentially malicious files that are infected with viruses.
• Anti-Bot. This detects bots, prevents communication between the bot and its Command & Control center, and gives threat visibility. A bot is malicious software that can infect your computer with malware. A bot infected computer can then be used by a Command & Control server to execute different types of attacks (send out SPAM messages or Denial-of-Service attacks against web sites). There are many infection methods. These include if you open attachments that exploit a vulnerability and access a web site that results in a malicious download.
• Threat Emulation. This gives networks protection against unknown threats in files that are downloaded from the Internet or attached to emails. When emulation is done on a file, the file is opened on more than one virtual computer with different operating system environments. These virtual computers are closely monitored for unusual and malicious behavior. Any malicious behavior is immediately logged and you can use Prevent mode to block the file from the internal network. Information about malicious files is shared with Check Point ThreatCloud.

  Note - Anti-Virus, Anti-Bot, and Threat Emulation malware policy are configured in the same place.

You can activate the blades to prevent such attacks/infection or set them to detect-mode only. The top of the page shows the number of infected hosts. For more information, click More details. The number of Anti-Virus, Anti-Bot and Threat Emulation malwares and the number of IPS attacks is shown next to the On/Off switch for each blade. You can also use logs to understand if your system is experiencing attack attempts. See the Logs & Monitoring > Security Logs page.

Check Point uses a large database of signature based protections and this page lets you use a default recommended policy. You can edit the policies and configure an IPS policy and Anti-Virus, Anti-Bot, and Threat Emulation policy that maximizes connectivity and security in your environment. Each policy represents a different profile of protections based on their severity, performance impact, and confidence level.

To enable/disable the IPS, Anti-Virus, Anti-Bot, or Threat Emulation blade:

1. Select On or Off.
2. Click Apply.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

IPS

To configure the IPS Policy:

1. In the IPS section, click Edit.
2. Select one of these options:
   • Strict - A protection profile that focuses on security.
   • Typical - A protection profile most suitable for small/medium sized businesses that gives the best mixture of security and performance. This is the default option.
   • Custom - A protection profile that you can manually define.

To configure a Custom IPS Policy:

The levels for each protection are defined by the Check Point IPS service:

• Severity - How critical is the potential threat.
• Confidence-level - Protections with a lower confidence-level provide protection against a wide variety of attack vectors. There is a risk of more false-positives.
• Performance impact - How the appliance performance is affected by activating these protections.

1. Select which type of protections to activate:
   • Client protections
   • Server protections - If your environment does not include any servers within the organization that are accessible from the Internet you might want to clear this option.
2. Select which protections are deactivated based on each of the protections parameters based on one or more of these levels:
   • Disable protections with severity X or below - You can decide the level of severity under which protections are not activated. Choose between low, medium, high, critical.
   • Disable protections with confidence-level X or below - You can decide the level of confidence-level under which protections are not activated. Choose between low, medium-low, medium, medium-high, and high.
   • Disable protections with performance impact X or above - You can decide the level of performance impact over which protections are not activated. Select one of these options: very low, low, medium, and high.
3. Select Disable Protocol Anomalies if you want to disable protections against protocol anomalies.

   Most of the IPS protections protect against malicious attempts to exploit vulnerabilities but there are other types of protections:

   • Protocol anomalies - Protections of this type detect and block irregularities in protocols. Such irregularities do not necessarily indicate a malicious attempt but many malicious attempts use such irregularities.
   • Protocol control - Protections of this type detect and block usage of protocol or files. They let you block those specified protocols or files based on your organization's policy. This is a form of access control within the IPS blade. Protocol control protections are not activated automatically by the IPS policy. You can see them and manually activate each one based on your organization's policy through the Threat Prevention > IPS Protections page.
4. Alternatively, you can set all the policy parameters to be the same as the built in strict or typical profiles and then make manual adjustments using the steps above. Select Load default settings and the appropriate profile.
5. Click Apply.

Anti-Virus, Anti-Bot, and Threat Emulation share the same malware policy.

The Anti-Virus, Anti-Bot, and Threat Emulation policy is also based on a set of activated protections and instructions for how to handle traffic inspection that matches activated protections. Protections help manage the threats against your network. For more information about protections, see the Check Point ThreatWiki. You can access it from a link on the Threat Prevention > Engine Settings page.

Set protection activation based on these protection criteria:

• Confidence level - The confidence level is how confident the Software Blade is that recognized attacks are actually a virus, or bot traffic, or malicious files . Some attack types are more subtle than others and legitimate traffic can sometimes be mistakenly recognized as a threat. The confidence level value shows how well protections can correctly recognize a specified attack. The higher the Confidence level of a protection, the more confident Check Point is that recognized attacks are indeed attacks. Lower Confidence levels indicate that some legitimate traffic may be identified as an attack.
• Protection action - The action enforced on the matching traffic. Notifications for these actions are set based on to the defined tracking option (none, logged, or logged with an alert).
  • Prevent - Blocks identified virus or bot traffic, or identified malicious files, from passing through the gateway.
  • Detect - Allows identified virus or bot traffic, or identified malicious files, to pass through the gateway, but detects it and logs it.
  • Ask - Traffic is blocked until the user confirms that it is allowed. To customize the user message, see the Threat Prevention > Engine Settings page.
  • Inactive - The protection is deactivated.
• Performance impact - Indicates the impact level on Security Gateway performance.

To configure the Anti-Virus, Anti-Bot or Threat Emulation Policy:

1. In the relevant section, click Edit.
2. For each confidence level (High confidence, Medium confidence, and Low confidence), select the applicable action from the list (prevent, detect, ask, or inactive).
3. In Performance impact, select the allowed impact level (Low, Medium or lower, or High or lower).
4. In Tracking options, select one of these options:
   • None - Do not log.
   • Log - Create a log.
   • Alert - Log with an alert.
5. If it is necessary to restore the policy default values, click Reset to defaults.
6. Click Apply.

Updates

As service based blades, it is necessary to schedule the interval at which updates are downloaded.

To schedule updates:

1. Click the Schedule link at the bottom of the page. You can also hover over the icon next to the update status and select the link from there.
2. Select the blades to schedule updates. You must manually update the other blades when new update packages are available (see the Not up to date message in the status bar).
3. Select the Recurrence time frame:
   • Hourly - Enter the time interval for Every x hours.
   • Daily - Select the Time of day.
   • Weekly - Select the Day of week and Time of day.
   • Monthly - Select the Day of month and Time of day.
4. Click Apply.

To toggle between block and detect-only modes:

1. Clear or select the applicable checkbox:
   • For IPS - Detect-only mode(IDS)
   • For Anti-Virus, Anti-Bot or Threat Emulation - Detect-only mode
2. Click Apply.

In detect-only mode, only logs are shown and the blades do not block any traffic.

To import an IPS update offline:

On rare occasions, there are organizations where the gateway is without Internet connectivity, but IPS is still required. Please contact Check Point Support to receive an offline IPS update package.

1. Click import manually at the bottom of the page.
2. Browse to the offline package file you received from Check Point Support.
3. Click Import.

Threat Prevention Exceptions

In the Threat Prevention > Threat Prevention Exceptions page you can configure exception rules for traffic which the IPS engine and malware engine for Anti-Virus and Anti-Bot do not inspect.

IPS Exceptions

To add a new IPS exception rule:

1. In the IPS Exceptions section, click New.
2. Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
   • Protection - Select either All IPS protections or a specific IPS protection from the list.
   • Source - Network object that initiates the connection.
   • Destination - Network object that is the target of the connection.
   • Service/Port - Type of network service. If you make an exception for a specified protection on a specific service/port, you might cause the protection to be ineffective.
3. Optional - Add a comment in the Write a comment field.
4. Click Apply.

Malware Exceptions

Anti-Virus and Anti-Bot exception rules include a Scope parameter. Threat Prevention inspects traffic to and/or from all objects specified in the Scope, even when the specified object did not open the connection. This is an important difference from the Source object in Firewall rules, which defines the object that opens a connection.

For example, when a Scope includes a Network Object named MyWebServer. Threat Prevention inspects all files sent to and from MyWebServer (both directions) for malware threats, even if MyWebServer did not open the connection.

Scope objects can be:

• Network objects, such as Security Gateways, clusters, servers, networks
• Network object groups
• IP address ranges
• Local users

To add a new malware exception rule:

1. In the Malware Exceptions section, click New.
2. Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
   • Scope - Select either Any or a specific scope from the list. If necessary, you can create a New network object, network object group, or local user.
     If it is necessary to negate a specified scope, select the scope and select the Any Scope except checkbox.
     For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox.
   • Protection - Select Any malware, Any Anti-Virus, and Any Anti-Bot. You cannot set a specific protection here. To set an exception for a specified protection, see the Threat Prevention > Infected Hosts page.
   • Action - Select the applicable action to enforce on the matching traffic: Ask, Prevent, Detect or Inactive. See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.
   • Log - Select the tracking option: None, Log, or Alert. Logs are shown on the Logs & Monitoring > Security Logs page. An alert is a flag on a log. You can use it to filter logs.
3. Optional - Add a comment in the Write a comment field.
4. Click Apply.

Whitelists

You can set specified files and URLs that the Anti-Virus, Anti-Bot and Threat Emulation blades do not scan or analyze. For example, if there are files that you know are safe but can create a false positive when analyzed, add them to the Files Whitelist.

Threat Emulation only: You can set specified email addresses that the blade does not scan and add them to the Email Addresses Whitelist.

To add a file or URL to the whitelist:

1. Select Files Whitelist or URLs Whitelist.
2. Click New.

   The Add File or Add URL window opens.

3. For a file, enter the MD5 checksum that gives the digital signature for a specified file.
4. For a URL, enter the URL.
5. Click Apply.

To add an email address to the whitelist:

1. Select Email Addresses Whitelist.
2. Click New.

   The Add Email Address window opens.

3. Enter the email address.
4. For Type, select Sender or Recipient.
5. Click Apply.

To edit or delete an exception rule:

1. Select the relevant rule.
2. Click Edit or Delete.

Infected Hosts

In the Infected Hosts page you can see information about infected hosts and servers in the internal networks. You can also directly create an exception rule for a specified protection related to an infected or possibly infected host or server.

The Infected Hosts table shows this information for each entry:

• Icon - Shows icons for the different classifications of infected hosts and servers:

  Description	Host Icon	Server Icon
  Infected host or server - When the Anti-Bot blade detects suspicious communication between the host or server and an external Command & Control center due to a specified triggered protection.
  Possibly infected host or server - When the Anti-Virus blade detects an activity that may result in host or server infection. For example: When you browse to an infected or a potentially unsafe Internet site, there is a possibility that malware was installed. When you download an infected file, there is a possibility that the file was opened or triggered and infected the host or server.

• Object name - Shows the object name if the host or server was configured as a network object.
• IP/MAC address
• Device/User Name - Shows a device or user name if the information is available to the Check Point Appliance through DHCP or User Awareness.
• Incident type - Shows the detected incident type:
  • Found bot activity
  • Downloaded a malware
  • Accessed a site known to contain malware
• Severity - Shows the severity of the malware:
  • Low
  • Medium
  • High
  • Critical
• Protection name - Shows the Anti-Bot or Anti-Virus protection name.
• Last incident - The date of the last incident.
• Incidents - Shows the total number of incidents on the host or server in the last month. If there is a large amount of records, the time frame may be shorter.

To filter the infected hosts list:

1. Click Filter.
2. Select one of the filter options:
   • Servers only - Shows only machines that were identified as servers (and not any machine/device). Servers are defined as server objects in the system from the Access Policy > Servers page.
   • Possibly infected only - Shows only hosts or servers classified as possibly infected.
   • Infected only - Shows only hosts or servers classified as infected.
   • High and above severity only - Shows hosts and servers that are infected or possibly infected with malwares that have a severity classification of high or critical.

To add a malware exception rule for a specified protection:

1. Select the list entry that contains the protection for which to create an exception.
2. Click Add Protection Exception.
3. Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
   • Scope - Select either Any or a specific scope from the list. If necessary, you can create a New network object, network object group, or local user.
     If it is necessary to negate a specified scope, select the scope and select the Any Scope except checkbox.
     For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox.
   • Action - Select the applicable action to enforce on the matching traffic: Ask, Prevent, Detect or Inactive. See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.
   • Log - Select the tracking option: None, Log, or Alert. Logs are shown on the Logs & Monitoring > Security Logs page. An alert is a flag on a log. You can use it to filter logs.
4. Optional - Add a comment in the Write a comment field.
5. Click Apply.

   The rule is added to Malware Exceptions on the Threat Prevention > Exceptions page.

To view the logs of a specified entry:

1. Select the list entry for which to view logs.
2. Click Logs.

   The Logs & Monitoring > Security Logs page opens and shows the logs applicable to the IP/MAC address.

   Note - This page is available from the Home and Logs & Monitoring tabs.

IPS Protections List

In the Threat Prevention > IPS Protections List page you can see the signature based protections that the appliance downloaded as part of the IPS service blade. You can see which of the protections are activated based on the policy you configured in the Threat Prevention > IPS Blade Control page.

You can see the details of each protection and also configure a manual override for individual protections' action, and tracking options.

To search for a specified protection:

• Enter a name in the filter box.
• Scroll the pages with the next and previous page buttons at the bottom of the page.

These are the fields that manage IPS exceptions:

• Protection - Name of IPS protection
• Protection Type - Shows if the protection applies to servers, clients or both
• Category - Category of the protection
• Action - Firewall action for this protection, the word overridden indicates a manual override
• Severity - Probable severity of a successful attack to your environment
• Confidence - How confident IPS is that recognized attacks are actually undesirable traffic
• Performance - How much this protection and its resources affect gateway or server performance

To manually override a specific protection's configuration:

1. Select a protection from the list.
2. Click Edit.

   The Protection Settings window opens.

3. Select the Override IPS policy action checkbox and select the relevant option:
   • Prevent
   • Detect
   • Inactive

   The protection's actions are not affected anymore by the IPS policy configuration.

4. Select a Track option for the protection.
5. Click Apply.

Threat Prevention Engine Settings

In the Threat Prevention > Threat Prevention Engine Settings page you can configure advanced configuration settings for the Anti-Virus, Anti-Bot, Threat Emulation, and IPS engines.

Note - Many of the configurations below are advanced and should only be used by experienced administrators.

Anti-Virus

To configure the Anti-Virus settings:

1. Select one of the protected scope options:
   • Scan incoming files from X interfaces - These are the options for X:
     • External and DMZ - Files that originate from external and the DMZ interfaces are inspected.
     • External - Files that originate from external interfaces are inspected.
     • All - Files transferred between all interfaces are inspected.
   • Scan both incoming and outgoing files - Files that originate from outside the organization and from within the organization to the Internet are inspected.
2. Select the protocols to scan for the selected scope:
   • HTTP (on any port)
   • Mail (SMTP and POP3)
   • FTP
3. Select one of the file type policy options:
   • Process file types known to contain malware
   • Process all file types
   • Process specific file type families - Click Configure for a list of file types and set prescribed actions to take place when these files pass through the Anti-Virus engine. To edit an action for a specified file type, right-click the row and click Edit.

     The available actions are:

     • Scan - The Anti-Virus engine scans files of this type.
     • Block - The Anti-Virus engine does not allow files of this type to pass through it.
     • Pass - The Anti-Virus engine does not inspect files of this type and lets them pass through.

     You cannot delete system defined file types. System defined file types are recognized by built-in signatures that cannot be edited. Manually defined file types are recognized by their extension and are supported through the web and mail protocols.

4. You can set policy overrides to override the general policy setting defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: Ask, Prevent, Detect, Inactive, or According to policy (no override). See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.
   • URLs with malware - Protections related to URLs that are used for malware distribution and malware infection servers.
   • Viruses - Real-time protection from the latest malware and viruses by examining each file against the Check Point ThreatCloud database.

Anti-Bot

You can set policy overrides to override the general policy settings defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: Ask, Prevent, Detect, Inactive, or According to policy (no override). See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.

• Malicious activity - Protections related to unique communication patterns of botnet and malware specified families.
• Reputation domains - Protections related to Command & Control (C&C) servers. Each host is checked against the Check Point ThreatCloud reputation database.
• Reputation IPs - Protections related to Command & Control (C&C) servers. Each IP is checked against the Check Point ThreatCloud reputation database.
• Reputation URLs - Protections related to Command & Control (C&C) servers. Each URL is checked against the Check Point ThreatCloud reputation database.
• Unusual activity - Protections related to the behavioral patterns common to botnet and malware activity.

Threat Emulation

To configure the Threat Emulation settings:

1. Select one of the protected scope options:
   • Scan incoming files from X interfaces - These are the options for X:
     • External and DMZ - Files that originate from external and the DMZ interfaces are inspected.
     • External - Files that originate from external interfaces are inspected.
     • All - Files transferred between all interfaces are inspected.

     Note - LAN to LAN scanning is not supported.

   • Scan both incoming and outgoing files - Files that originate from outside the organization and from within the organization to the Internet are inspected.
2. Select the protocols to scan for the selected scope:
   • HTTP (on any port)
   • Mail (SMTP and POP3)
3. For file type policy:
   • Process specific file type families - Click Configure for a list of file types and set prescribed actions to take place when these files pass through the Threat Emulation engine.

     To edit an action for a specified file type, right-click the row and click Edit. You can also click the file type so it is selected and then click Edit.

     The available actions are:

     • Inspect - The Threat Emulation engine inspects files of this type.
     • Bypass - The Threat Emulation engine does not inspect files of this type and lets them pass through.

     You cannot delete system defined file types. System defined file types are recognized by built-in signatures that cannot be edited.

4. Select the HTTP connection emulation handling mode:
   • Background - Connections are allowed until emulation is complete.
   • Hold - Connections are blocked until emulation is complete.

In Threat Emulation, each file is run in the Check Point Public ThreatCloud to see if the file is malicious. The verdict is returned to the gateway.

You can change the emulator location to a local private SandBlast appliance in the Advanced Settings page.

You must first enable the Threat Emulation blade and then configure it for remote emulation.

To enable the Remote Private Cloud Threat Emulation emulator:

1. Go to Device > Advanced Settings.
2. Search for Threat Prevention Threat Emulation policy - Emulation location.
3. Select Emulation is done on remote (private) SandBlast.
4. Add or update the emulator IP address.
5. Click Apply.

To disable the Remote Private Cloud Threat Emulation emulator:

1. Go to Device > Advanced Settings.
2. Search for Threat Prevention Threat Emulation policy - Emulation location.
3. Select Emulation is done on Public ThreatCloud.
4. Click Apply.

To configure multiple remote emulators, you must use CLI commands.

For more information on Threat Emulation, see the Threat Emulation video on the Small Business Security video channel.

User Messages

You can customize messages for protection types set with the Ask action. When traffic is matched for a protection type that is set to Ask, the user's internet browser shows the message in a new window.

These are the Ask options and their related notifications:

Option	Anti-Virus Notification	Anti-Bot Notification
Ask	Shows a message to users and asks them if they want to continue to access a site or download a file that was classified as malicious.	Shows a message to users and notifies them that their computer is trying to access a malicious server.
Block	Shows a message to users and blocks the site.	Anti-Bot blocks background processes. If a specified operation from a browser to a malicious server is blocked, a message is shown to the user.

To customize messages:

1. Click Customize Anti-Virus user message or Customize Anti-Bot user message.
2. Configure the options in each of these tabs:
   • Ask
   • Block
3. Configure the applicable fields for the notifications:
   • Title - Keep the default or enter a different title.
   • Subject - Keep the default or enter a different subject.
   • Body - Keep the default or enter different body text. You can click Optional keywords for a list of keywords that you can add in the body text to give the user more information.
   • Ignore text (only for Ask) - If the user decides to ignore the message, this is the text that is shown next to the checkbox. Keep the default text or enter different text.
   • User must enter a reason (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box to enter the reason.
   • Fallback action (only for Ask) - Select an alternative action (Block or Accept) for when the notification cannot be shown in the browser or application that caused the notification, most notably in non-web applications.
     • If the Fallback action is Accept - The user can access the website or application.
     • If the Fallback action is Block - The website or application is blocked, and the user does not see a notification.
   • Frequency - You can set the number of times that the Anti-Virus, Anti-Bot, or Threat Emulation Ask user message is shown:
     • Once a day
     • Once a week
     • Once a month
   • Redirect the user to a URL (only for block) - You can redirect the user to an external portal, not on the gateway. In the URL field, enter the URL for the external portal. The specified URL can be an external system. It gets authentications credentials from the user, such as a user name or password. It sends this information to the gateway.
4. Click the Customize tab to customize a logo for all portals shown by the appliance (Hotspot and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default.
5. Click Apply.

IPS

To change the protection scope of the IPS engine:

Select one of the options:

• Protect internal hosts only - The IPS engine only protect against attacks targeted on clients and servers that are inside the organization. The IPS engine does not waste resources on protecting hosts outside your organization.
• Perform IPS inspection on all traffic - This option is less recommended as it consumes more resources.

To configure the IPS engine to bypass mode when the appliance is under heavy load:

1. Select the Bypass under load checkbox to activate the feature.
2. Click Configure to select the thresholds upon which IPS engine toggles between bypass and inspection modes. Follow the instructions in the window that opens and click Apply.

   Thresholds are configured for CPU Usage and Memory Usage. There is always a high watermark and a low watermark. Bypass occurs when the high watermark is exceeded and the IPS engine continues inspection when the load drops below the low watermark. In this way when under load, the IPS engine does not toggle between modes too frequently.

3. In Bypass under load tracking, to configure tracking options for this feature, select what type of log to issue.

To change the tracking setting:

Select the relevant Event tracking option - None, Log or Alert (shown as a highly important log).

To apply all changes made on this page:

Click Apply.

Anti-Spam Blade Control

In the Threat Prevention > Anti-Spam Blade Control page you can activate the Anti-Spam engine to block or flag emails that are contain known or suspected spam content.

On this page you can activate the blade to identify, block or flag such emails or set it to detect mode only and use the logs to understand if your system is experiencing spam attacks.

Check Point can identify spam emails by their source address (most spam emails) and also the email content itself. You can configure the system to simply flag emails with spam content instead of blocking them and then configure your internal email server to use this flag to decide how to handle them. Flag is a common use case if you do not want to lose emails that are suspected of spam. The content of emails is inspected in the cloud and the appliance is notified how to handle the emails.

You can handle suspected spam the same way as known spam, or select the checkbox to handle suspected spam separately (see below).

To enable/disable the Anti-Spam blade:

1. Select On or Off.
2. Click Apply.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.

To configure the Anti-Spam engine to work in detect only mode:

1. Select the Detect-only mode checkbox.
2. Click Apply.

In Detect-only mode, only logs appear and the blade does not block any emails.

To configure the Anti-Spam Policy:

The spam filter is always based on inspecting the senders' source address. This is a quick way to handle the majority of spam emails. In addition, you can configure to filter the rest of the spam emails by inspecting the email content. Make sure the Email content checkbox is selected. Select the action to perform on emails whose content was found to contain spam:

• Block spam emails
• Flag spam email subject with X - Replace X with manually defined text to add to the subject line for spam emails.
• Flag spam email header - This option identifies email as spam in the email message header.

Select the relevant tracking option - Log or Alert (shown as a highly important log).

To handle suspected spam separately from known spam:

1. Click Handle suspected spam separately.
2. Select an option: block, flag email subject, or flag email header.

   When selecting a flag option, it is possible to modify the text string used to flag the suspected spam emails. The default is "[SUSPECTED SPAM]". You can choose the flag option for Spam and for Suspected Spam. Use this option to have a different string for the flag action.

3. Select a tracking option.
4. Click Apply.

Anti-Spam Exceptions

In the Threat Prevention > Anti-Spam Exceptions page you can configure:

• Safe senders (email addresses) and/or domains or IP addresses from which emails are not inspected.
• Specific senders and/or domains or IP addresses that Anti-Spam engine blocks regardless of its own classification.

To block or allow by senders requires the Anti-Spam engine to be configured to filter based on Email content in the Threat Prevention > Anti-Spam Blade Control page.

Note - IP address exceptions are ignored for POP3 traffic.

To add a new sender/domain/IP address to the Allow or Block list:

1. Click Add or New in the Allow or Block list.
2. Enter the IP address or Sender/Domain.
3. Click Apply.

To edit or delete a sender/domain/IP address from the Allow or Block list:

1. Select the relevant row in the Allow or Block list.
2. Click Edit or Delete. If the options are not visible, click the arrows next to the filter box.