Managing Threat Prevention
This section describes how to set up and manage the Intrusion Prevention System (IPS), Anti-Virus, Anti-Bot, Threat Emulation, and Anti-Spam blades.
Threat Prevention Blade Control
In the > page you can activate:
You can activate the blades to prevent such attacks/infection or set them to detect-mode only. The top of the page shows the number of infected devices. For more information, click . The number of Anti-Virus, Anti-Bot and Threat Emulation malwares and the number of IPS attacks is shown next to the On/Off switch for each blade. You can also use logs to understand if your system is experiencing attack attempts. See the > page.
Check Point uses a large database of signature based protections and this page lets you use a default recommended policy. You can edit the policies and configure an IPS policy and Anti-Virus, Anti-Bot, and Threat Emulation policy that maximizes connectivity and security in your environment. Each policy represents a different profile of protections based on their severity, performance impact, and confidence level.
To enable/disable the IPS, Anti-Virus, Anti-Bot, or Threat Emulation blade:
- Select or.
- Click .
Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.
IPS
To configure the IPS Policy:
- In the section, click .
- Select one of these options:
- - A protection profile that focuses on security.
- - A protection profile most suitable for small/medium sized businesses that gives the best mixture of security and performance. This is the default option.
- - A protection profile that you can manually define.
To configure a Custom IPS Policy:
The levels for each protection are defined by the Check Point IPS service:
- How critical is the potential threat.
- - Protections with a lower confidence-level provide protection against a wide variety of attack vectors. There is a risk of more false-positives.
- - How the appliance performance is affected by activating these protections.
- Select which type of protections to activate:
- - If your environment does not include any servers within the organization that are accessible from the Internet you might want to clear this option.
- Select which protections are deactivated based on each of the protections parameters based on one or more of these levels:
- - You can decide the level of severity under which protections are not activated. Choose between low, medium, high, critical.
- - You can decide the level of confidence-level under which protections are not activated. Choose between low, medium-low, medium, medium-high, and high.
- - You can decide the level of performance impact over which protections are not activated. Select one of these options: very low, low, medium, and high.
- Select if you want to disable protections against protocol anomalies.
Most of the IPS protections protect against malicious attempts to exploit vulnerabilities but there are other types of protections:
- Protocol anomalies - Protections of this type detect and block irregularities in protocols. Such irregularities do not necessarily indicate a malicious attempt but many malicious attempts use such irregularities.
- Protocol control - Protections of this type detect and block usage of protocol or files. They let you block those specified protocols or files based on your organization's policy. This is a form of access control within the IPS blade. Protocol control protections are not activated automatically by the IPS policy. You can see them and manually activate each one based on your organization's policy through the > page.
- Alternatively, you can set all the policy parameters to be the same as the built in strict or typical profiles and then make manual adjustments using the steps above. Select and the appropriate profile.
- Click .
Anti-Virus, Anti-Bot, and Threat Emulation share the same malware policy.
The Anti-Virus, Anti-Bot, and Threat Emulation policy is also based on a set of activated protections and instructions for how to handle traffic inspection that matches activated protections. Protections help manage the threats against your network. For more information about protections, see the . You can access it from a link on the > page.
Set protection activation based on these protection criteria:
- Confidence level - The confidence level is how confident the Software Blade is that recognized attacks are actually a virus, or bot traffic, or malicious files . Some attack types are more subtle than others and legitimate traffic can sometimes be mistakenly recognized as a threat. The confidence level value shows how well protections can correctly recognize a specified attack. The higher the Confidence level of a protection, the more confident Check Point is that recognized attacks are indeed attacks. Lower Confidence levels indicate that some legitimate traffic may be identified as an attack.
- Protection action - The action enforced on the matching traffic. Notifications for these actions are set based on to the defined tracking option (none, logged, or logged with an alert).
- Prevent - Blocks identified virus or bot traffic, or identified malicious files, from passing through the gateway.
- Detect - Allows identified virus or bot traffic, or identified malicious files, to pass through the gateway, but detects it and logs it.
- Ask - Traffic is blocked until the user confirms that it is allowed. To customize the user message, see the > page.
- Inactive - The protection is deactivated.
- Performance impact - Indicates the impact level on Security Gateway performance.
To configure the Anti-Virus, Anti-Bot or Threat Emulation Policy:
- In the relevant section, click .
- For each confidence level (, , and ), select the applicable action from the list (, , , or ).
- In Performance impact, select the allowed impact level (, , or ).
- In , select one of these options:
- - Do not log.
- - Create a log.
- - Log with an alert.
- If it is necessary to restore the policy default values, click .
- Click .
Updates
As service based blades, it is necessary to schedule the interval at which updates are downloaded.
To schedule updates:
- Click the link at the bottom of the page. You can also hover over the icon next to the update status and select the link from there.
- Select the blades to schedule updates. You must manually update the other blades when new update packages are available (see the Not up to date message in the status bar).
- Select the time frame:
- - Enter the time interval for .
- - Select the .
- - Select the and .
- - Select the and .
- Click .
To toggle between block and detect-only modes:
- Clear or select the applicable checkbox:
- For IPS -
- For Anti-Virus, Anti-Bot or Threat Emulation -
- Click .
In detect-only mode, only logs are shown and the blades do not block any traffic.
To import an IPS update offline:
On rare occasions, there are organizations where the gateway is without Internet connectivity, but IPS is still required. Please contact Check Point Support to receive an offline IPS update package.
- Click manually at the bottom of the page.
- to the offline package file you received from Check Point Support.
- Click .
Threat Prevention Exceptions
In the > page you can configure exception rules for traffic which the IPS engine and malware engine for Anti-Virus and Anti-Bot do not inspect.
IPS Exceptions
To add a new IPS exception rule:
- In the section, click .
- Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
- - Select either All IPS protections or a specific IPS protection from the list.
- - Network object that initiates the connection.
- - Network object that is the target of the connection.
- - Type of network service. If you make an exception for a specified protection on a specific service/port, you might cause the protection to be ineffective.
- Optional - Add a comment in the field.
- Click .
Malware Exceptions
Anti-Virus and Anti-Bot exception rules include a Scope parameter. Threat Prevention inspects traffic to and/or from all objects specified in the Scope, even when the specified object did not open the connection. This is an important difference from the Source object in Firewall rules, which defines the object that opens a connection.
For example, when a Scope includes a Network Object named MyWebServer. Threat Prevention inspects all files sent to and from MyWebServer (both directions) for malware threats, even if MyWebServer did not open the connection.
Scope objects can be:
- Network objects, such as Security Gateways, clusters, servers, networks
- Network object groups
- IP address ranges
- Local users
To add a new malware exception rule:
- In the section, click .
- Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
- - Select either Any or a specific scope from the list. If necessary, you can create a network object, network object group, or local user.
If it is necessary to negate a specified scope, select the scope and select the checkbox.
For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox. - - Select , and . You cannot set a specific protection here. To set an exception for a specified protection, see the > page.
- - Select the applicable action to enforce on the matching traffic: , , or . See the > page for a description of the action types.
- - Select the tracking option: , , or . Logs are shown on the > page. An alert is a flag on a log. You can use it to filter logs.
- Optional - Add a comment in the field.
- Click .
Whitelists
You can set specified files and URLs that the Anti-Virus, Anti-Bot and Threat Emulation blades do not scan or analyze. For example, if there are files that you know are safe but can create a false positive when analyzed, add them to the Files Whitelist.
Threat Emulation only: You can set specified email addresses that the blade does not scan and add them to the Email Addresses Whitelist.
To add a file or URL to the whitelist:
- Select or .
- Click .
The or window opens.
- For a file, enter the that gives the digital signature for a specified file.
- For a URL, enter the .
- Click .
To add an email address to the whitelist:
- Select .
- Click .
The window opens.
- Enter the email address.
- For , select Sender or Recipient.
- Click .
To edit or delete an exception rule:
- Select the relevant rule.
- Click or .
Infected Devices
In the page you can see information about infected devices and servers in the internal networks. You can also directly create an exception rule for a specified protection related to an infected or possibly infected device or server.
The Infected Devices table shows this information for each entry:
- Icon - Shows icons for the different classifications of infected devices and servers:
Description
|
Host Icon
|
Server Icon
|
Infected device or server - When the Anti-Bot blade detects suspicious communication between the host or server and an external Command & Control center due to a specified triggered protection.
|
|
|
Possibly infected device or server - When the Anti-Virus blade detects an activity that may result in host or server infection. For example:
- When you browse to an infected or a potentially unsafe Internet site, there is a possibility that malware was installed.
- When you download an infected file, there is a possibility that the file was opened or triggered and infected the host or server.
|
|
|
- Object name - Shows the object name if the host or server was configured as a network object.
- IP/MAC address
- Device/User Name - Shows a device or user name if the information is available to the Check Point Appliance through DHCP or User Awareness.
- Incident type - Shows the detected incident type:
- Found bot activity
- Downloaded a malware
- Accessed a site known to contain malware
- Severity - Shows the severity of the malware:
- Protection name - Shows the Anti-Bot or Anti-Virus protection name.
- Last incident - The date of the last incident.
- Incidents - Shows the total number of incidents on the device or server in the last month. If there is a large amount of records, the time frame may be shorter.
To filter the infected devices list:
- Click .
- Select one of the filter options:
- - Shows only machines that were identified as servers (and not any machine/device). Servers are defined as server objects in the system from the > page.
- - Shows only devices or servers classified as possibly infected.
- - Shows only devices or servers classified as infected.
- - Shows devices and servers that are infected or possibly infected with malwares that have a severity classification of high or critical.
To add a malware exception rule for a specified protection:
- Select the list entry that contains the protection for which to create an exception.
- Click .
- Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
- - Select either Any or a specific scope from the list. If necessary, you can create a network object, network object group, or local user.
If it is necessary to negate a specified scope, select the scope and select the checkbox.
For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox. - - Select the applicable action to enforce on the matching traffic: , , or . See the > page for a description of the action types.
- - Select the tracking option: , , or . Logs are shown on the > page. An alert is a flag on a log. You can use it to filter logs.
- Optional - Add a comment in the field.
- Click .
The rule is added to Malware Exceptions on the > page.
To view the logs of a specified entry:
- Select the list entry for which to view logs.
- Click .
The> page opens and shows the logs applicable to the IP/MAC address.
Note - This page is available from the andtabs.
IPS Protections List
In the > page you can see the signature based protections that the appliance downloaded as part of the IPS service blade. You can see which of the protections are activated based on the policy you configured in the > page.
You can see the details of each protection and also configure a manual override for individual protections' action, and tracking options.
To search for a specified protection:
- Enter a name in the box.
- Scroll the pages with the next and previous page buttons at the bottom of the page.
These are the fields that manage IPS exceptions:
- - Name of IPS protection
- - Shows if the protection applies to servers, clients or both
- - Category of the protection
- - Firewall action for this protection, the word indicates a manual override
- - Probable severity of a successful attack to your environment
- - How confident IPS is that recognized attacks are actually undesirable traffic
- - How much this protection and its resources affect gateway or server performance
To manually override a specific protection's configuration:
- Select a protection from the list.
- Click .
The Protection Settings window opens.
- Select the checkbox and select the relevant option:
The protection's actions are not affected anymore by the IPS policy configuration.
- Select a option for the protection.
- Click .
Threat Prevention Engine Settings
In the > page you can configure advanced configuration settings for the Anti-Virus, Anti-Bot, Threat Emulation, and IPS engines.
Note - Many of the configurations below are advanced and should only be used by experienced administrators.
Anti-Virus
To configure the Anti-Virus settings:
- Select one of the protected scope options:
- - Select one of these interfaces from which to scan incoming files:
- - Files that originate from external and the DMZ interfaces are inspected.
- - Files that originate from external interfaces are inspected.
- - Files transferred between all interfaces are inspected.
- - Files that originate from outside the organization and from within the organization to the Internet are inspected.
- Select the protocols to scan for the selected scope:
must be activated to scan HTTP and IMAP encrypted traffic. To activate, click the link or go to > .
- Select one of the file type policy options:
- - Click for a list of file types and set prescribed actions to take place when these files pass through the Anti-Virus engine. To edit an action for a specified file type, right-click the row and click .
The available actions are:
- Scan - The Anti-Virus engine scans files of this type.
- Block - The Anti-Virus engine does not allow files of this type to pass through it.
- Pass - The Anti-Virus engine does not inspect files of this type and lets them pass through.
You cannot delete system defined file types. System defined file types are recognized by built-in signatures that cannot be edited. Manually defined file types are recognized by their extension and are supported through the web and mail protocols.
- You can set to override the general policy setting defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: Ask, Prevent, Detect, Inactive, or According to policy (no override). See the > page for a description of the action types.
- - Protections related to URLs that are used for malware distribution and malware infection servers.
- - Real-time protection from the latest malware and viruses by examining each file against the Check Point ThreatCloud database.
Anti-Bot
You can set to override the general policy settings defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: Ask, Prevent, Detect, Inactive, or According to policy (no override). See the > page for a description of the action types.
- - Protections related to unique communication patterns of botnet and malware specified families.
- - Protections related to Command & Control (C&C) servers. Each host is checked against the Check Point ThreatCloud reputation database.
- - Protections related to Command & Control (C&C) servers. Each IP is checked against the Check Point ThreatCloud reputation database.
- - Protections related to Command & Control (C&C) servers. Each URL is checked against the Check Point ThreatCloud reputation database.
- - Protections related to the behavioral patterns common to botnet and malware activity.
Threat Emulation
To configure the Threat Emulation settings:
- Select one of the protected scope options:
- Select the protocols to scan for the selected scope:
must be activated to scan HTTP and IMAP encrypted traffic. To activate, click the link or go to > .
- For file type policy:
- - Click for a list of file types and set prescribed actions to take place when these files pass through the Threat Emulation engine.
To edit an action for a specified file type, right-click the row and click . You can also click the file type so it is selected and then click .
The available actions are:
- Inspect - The Threat Emulation engine inspects files of this type.
- Bypass - The Threat Emulation engine does not inspect files of this type and lets them pass through.
You cannot delete system defined file types. System defined file types are recognized by built-in signatures that cannot be edited.
- Select the HTTP connection emulation handling mode:
- - Connections are allowed until emulation is complete.
- - Connections are blocked until emulation is complete.
In Threat Emulation, each file is run in the Check Point Public ThreatCloud to see if the file is malicious. The verdict is returned to the gateway.
You can change the emulator location to a local private SandBlast appliance in the page.
You must first enable the Threat Emulation blade and then configure it for remote emulation.
To enable the Remote Private Cloud Threat Emulation emulator:
- Go to > .
- Search for .
- Select .
- Add or update the emulator IP address.
- Click .
To disable the Remote Private Cloud Threat Emulation emulator:
- Go to > .
- Search for .
- Select.
- Click .
To configure multiple remote emulators, you must use CLI commands.
For more information on Threat Emulation, see the Threat Emulation video on the Small Business Security video channel.
User Messages
You can customize messages for protection types set with the Ask action. When traffic is matched for a protection type that is set to Ask, the user's internet browser shows the message in a new window.
These are the Ask options and their related notifications:
Option
|
Anti-Virus Notification
|
Anti-Bot Notification
|
Ask
|
Shows a message to users and asks them if they want to continue to access a site or download a file that was classified as malicious.
|
Shows a message to users and notifies them that their computer is trying to access a malicious server.
|
Block
|
Shows a message to users and blocks the site.
|
Anti-Bot blocks background processes. If a specified operation from a browser to a malicious server is blocked, a message is shown to the user.
|
To customize messages:
- Click or
- Configure the options in each of these tabs:
- Configure the applicable fields for the notifications:
- - Keep the default or enter a different title.
- - Keep the default or enter a different subject.
- - Keep the default or enter different body text. You can click for a list of keywords that you can add in the body text to give the user more information.
- (only for Ask) - If the user decides to ignore the message, this is the text that is shown next to the checkbox. Keep the default text or enter different text.
- (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box to enter the reason.
- (only for Ask) - Select an alternative action (Block or Accept) for when the notification cannot be shown in the browser or application that caused the notification, most notably in non-web applications.
- If the Fallback action is - The user can access the website or application.
- If the Fallback action is - The website or application is blocked, and the user does not see a notification.
- - You can set the number of times that the Anti-Virus, Anti-Bot, or Threat Emulation Ask user message is shown:
- (only for block) - You can redirect the user to an external portal, not on the gateway. In the field, enter the URL for the external portal. The specified URL can be an external system. It gets authentications credentials from the user, such as a user name or password. It sends this information to the gateway.
- Click the tab to customize a logo for all portals shown by the appliance (Hotspot and captive portal used by User Awareness). Click ,browse to the logo file and click . If necessary, you can revert to the default logo by clicking .
- Click .
IPS
To change the protection scope of the IPS engine:
Select one of the options:
- - The IPS engine only protect against attacks targeted on clients and servers that are inside the organization. The IPS engine does not waste resources on protecting hosts outside your organization.
- - This option is less recommended as it consumes more resources.
To configure the IPS engine to bypass mode when the appliance is under heavy load:
- Select the checkbox to activate the feature.
- Click to select the thresholds upon which IPS engine toggles between bypass and inspection modes. Follow the instructions in the window that opens and click .
Thresholds are configured for CPU Usage and Memory Usage. There is always a high watermark and a low watermark. Bypass occurs when the high watermark is exceeded and the IPS engine continues inspection when the load drops below the low watermark. In this way when under load, the IPS engine does not toggle between modes too frequently.
- In , to configure tracking options for this feature, select what type of log to issue.
To change the tracking setting:
Select the relevantoption - , or (shown as a highly important log).
To apply all changes made on this page:
Click .
Anti-Spam Blade Control
In the > page you can activate the Anti-Spam engine to block or flag emails that are contain known or suspected spam content.
On this page you can activate the blade to identify, block or flag such emails or set it to detect mode only and use the logs to understand if your system is experiencing spam attacks.
Check Point can identify spam emails by their source address (most spam emails) and also the email content itself. You can configure the system to simply flag emails with spam content instead of blocking them and then configure your internal email server to use this flag to decide how to handle them. Flag is a common use case if you do not want to lose emails that are suspected of spam. The content of emails is inspected in the cloud and the appliance is notified how to handle the emails.
You can handle suspected spam the same way as known spam, or select the checkbox to handle suspected spam separately (see below).
To enable/disable the Anti-Spam blade:
- Select or.
- Click .
Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.
To configure the Anti-Spam engine to work in detect only mode:
- Select the checkbox.
- Click .
In Detect-only mode, only logs appear and the blade does not block any emails.
To configure the Anti-Spam Policy:
The spam filter is always based on inspecting the senders' source address. This is a quick way to handle the majority of spam emails. In addition, you can configure to filter the rest of the spam emails by inspecting the email content. Make sure the checkbox is selected. Select the action to perform on emails whose content was found to contain spam:
- - Replace X with manually defined text to add to the subject line for spam emails.
- - This option identifies email as spam in the email message header.
Select the relevant - Log or Alert (shown as a highly important log).
To handle suspected spam separately from known spam:
- Click .
- Select an option: block, flag email subject, or flag email header.
When selecting a flag option, it is possible to modify the text string used to flag the suspected spam emails. The default is "[SUSPECTED SPAM]". You can choose the flag option for Spam and for Suspected Spam. Use this option to have a different string for the flag action.
- Select a tracking option.
- Click .
Anti-Spam Exceptions
In the > page you can configure:
- Safe senders (email addresses) and/or domains or IP addresses from which emails are not inspected.
- Specific senders and/or domains or IP addresses that Anti-Spam engine blocks regardless of its own classification.
To block or allow by senders requires the Anti-Spam engine to be configured to filter based on in the > l page.
Note - IP address exceptions are ignored for POP3 traffic.
To add a new sender/domain/IP address to the Allow or Block list:
- Click or in the Allow or Block list.
- Enter the or .
- Click .
To edit or delete a sender/domain/IP address from the Allow or Block list:
- Select the relevant row in the Allow or Block list.
- Click or . If the options are not visible, click the arrows next to the filter box.