Open Frames Download Complete PDF Send Feedback Print This Page



Threat Prevention Policies

In This Section:

Anti-Bot and Anti-Virus


Anti-Bot and Anti-Virus

Protecting Networks from Bots

A bot is malicious software that can infect your computer. There are many infection methods, for example:

  • Opening attachments that exploit a vulnerability
  • Accessing a web site that results in a malicious download

When a bot infects a computer, it:

  • Takes control of the computer and neutralizes its Anti-Virus defenses. It is not easy to find bots on your computer, they hide and change how they look to Anti-Virus software.
  • Connects to a C&C (Command and Control center) for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to do illegal activities without your knowledge. Your computer can do one or more of these activities:
    • Steal data (personal, financial, intellectual property, organizational)
    • Send spam
    • Attack resources (Denial of Service Attacks)
    • Consume network bandwidth and reduce productivity

One bot can often create multiple threats. Bots are frequently used as part of Advanced Persistent Threats (APTs) where cyber criminals try to damage individuals or organizations. A botnet is a collection of compromised and infected computers.

The Anti-Bot Software Blade detects and prevents these bot and botnet threats. For more about using the Anti-Bot Software Blade, see the R77 Threat Prevention Administration Guide.

Identifying Bot Infected Computers

The Anti-Bot Software Blade uses these procedures to identify bot infected computers:

  • Identify the C&C addresses used by criminals to control bots

    These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.

  • Identify the communication patterns used by each botnet family

    These communication fingerprints are different for each family and can be used to identify a botnet family. Research is done for each botnet family to identify the unique language that it uses. There are thousands of existing different botnet families and new ones are constantly emerging.

  • Identify bot behavior

    Identify specified actions for a bot such as, when the computer sends spam or participates in DoS attacks.

Check Point uses the ThreatSpect engine and ThreatCloud repository to find bots based on these procedures.

Protecting Networks from Viruses

The Anti-Virus Software Blade inspects connections to the Internet and scans file transfers and downloads to the internal network to find and prevent malware attacks. It also gives pre-infection protection from external malware and malicious servers.

ThreatSpect engine and ThreatCloud repository

The ThreatSpect engine is a unique multi-tiered engine that analyzes network traffic and correlates information across multiple layers to find bots and other malware. It combines information on remote operator hideouts, unique botnet traffic patterns and behavior to identify thousands of different botnet families and outbreak types.

The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.

The Security Gateway gets automatic binary signature and reputation updates from the ThreatCloud repository. It can query the cloud for new, unclassified IP/URL/DNS resources that it finds.

The layers of the ThreatSpect engine:

  • Reputation - Analyzes the reputation of URLs, IP addresses and external domains that computers in the organization access. The engine searches for known or suspicious activity, such as a C&C.
  • Signatures - Detects threats by identifying unique patterns in files or in the network.
  • Suspicious Mail Outbreaks - Detects infected machines in the organization based on analysis of outgoing mail traffic.
  • Behavioral Patterns - Detects unique patterns that indicate the presence of a bot. For example, how a C&C communicates with a bot-infected machine.

Learning about Malware

The Threat Wiki is an easy to use tool that lets you search and filter the ThreatCloud repository to find more information about identified malware. The Threat Wiki helps you to learn more about malware, you can:

  • Filter by category, tag, or malware family
  • Search for a malware

To show the Threat Wiki:

In the Threat Prevention tab, click Threat Wiki. The Threat Wiki page opens.

Examining Anti-Bot and Anti-Virus Protections

The Protections browser shows information about the Anti-Bot and Anti-Virus protections.

To show the Protections browser:

In the Threat Prevention tab, click Protections. The lower pane shows a detailed description of the protection type.




Name of the protection type.


If the protection is used by the Anti-Bot or Anti-Virus Software Blade.


Layer of the ThreatSpect engine that is protecting the network.

Known Today

Number of known protections.

Performance Impact

Impact on the performance of a Security Gateway.

<Profile Name>

For each profile, shows the action for each protection:

  • Prevent - Blocks traffic that matches the protection
  • Detect - Allows all traffic and logs traffic that matches the protection
  • Inactive - Protection is disabled

Protections can have more than one action. This column shows the percentage of protections set to each action.

Enabling the Anti-Bot Software Blade

Enable the Anti-Bot Software Blade on a Security Gateway.

To enable the Anti-Bot Software Blade:

  1. In SmartDashboard, right-click the gateway object and select Edit.

    The Gateway Properties window opens.

  2. In Network Security tab, select Anti-Bot.

    The Anti-Bot and Anti-Virus First Time Activation window opens.

  3. Select one of the activation mode options:
    • According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Bot Software Blade and use the Anti-Bot settings of the Threat Prevention profile in the Threat Prevention policy.
    • Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
  4. Click OK.
  5. Install the Threat Prevention policy.

Anti-Bot and Anti-Virus Rule Base

There is a different Rule Base for Anti-Bot and Anti-Virus. The Anti-Bot and Anti-Virus rules use the Malware database and network objects. Security Gateways that have Identity Awareness enabled can also use Access Role objects as the Protected Scope in a rule. The Access Role objects let you easily make rules for individuals or different groups of users.

The first Anti-Bot or Anti-Virus rule that matches the traffic is applied. There are no implied rules in this Rule Base, all traffic is allowed unless it is explicitly blocked. A rule that is set to the Prevent action, blocks activity and communication for that malware.

When necessary, you can add an exception directly to a rule. The object in the Protected Scope, can have a different Action from the specified Anti-Bot and Anti-Virus rule. Here are some examples of exception rules:

  • A profile that only detects protections. You can set one or more of the protections for a user to Prevent.
  • The RnD network is included in a profile with the Prevent action. You can set that network to Detect.

Managing the Anti-Bot and Anti-Virus Rule Base

These are the fields that manage the rules for the Anti-Bot and Anti-Virus threat prevention policy.




Rule number in the Rule Base. An exception rule contains the letter E and a digit that represents the exception number. For example, E-2.2 is the second exception for the second rule.


Name that the system administrator gives this rule.

Protected Scope

Objects that are protected against bots and viruses. Traffic to and from these objects is inspected even if the objects did not open the connection.


For rules, the value for this field is always N/A. The protections are set according the profile in the Action field.

For exceptions, set this field to one or more specified protections.


For rules, the value for this field is an Anti-Bot and Anti-Virus profile.

For exceptions, set this field to Prevent or Detect.


Tracking and logging action that is done when traffic matches the rule.

Install On

Network objects that get this rule. The default setting is All and installs the policy on all Security Gateways that have Anti-Bot and Anti-Virus enabled.

Sample Rule Base

This table shows a sample Anti-Bot and Anti-Virus Rule Base. (The Install On column is not shown and is set to All.)



Protected Scope




High Security
- n/a
Packet Capture
Malware Rule
- n/a
RnD Server

1. High Security - Traffic for the Finance server and two corporate networks are inspected for bots and viruses according to the settings in the High_Security profile. The traffic is logged and the packets are captured for analysis in SmartView Tracker.

2. Malware Rule - All traffic in the network is inspected for bots and viruses according to the settings in the Recommend_Profile.

E-2.1 RnD Server - A global exception rule for the Server-1 object, that only detects the Backdoor.Win32.Shark.A protection.

E-2.2 Users_3 - An exception rule for the Users_3 Access Role, that only detects some protections.


Employees waste more and more time to sort through bulk emails commonly known as spam. The amount of resources (disk space, network bandwidth, CPU) devoted to handling spam also increases from year to year. In addition, unwanted emails continue to grow and can be an unexpected security threat to networks. Cyber-criminals can use emails to let viruses and malware into your network. The Anti-Spam and Mail Software Blade gives system administrators an easy and central tool to eliminate most of the spam that reaches their networks.

Enabling Anti-Spam

Use the Overview page in the Anti-Spam & Mail tab to enable Anti-Spam on a Security Gateway.

To enable Anti-Spam:

  1. In the Anti-Spam & Mail tab, select Overview.
  2. Click Anti-Spam.

    The Anti-Spam Enforcing Gateways window opens.

  3. Select one or more Security Gateways.
  4. Click OK.

Sample Configuration




Content based Anti-Spam

High protection

Identifies spam based on email content

IP Reputation Anti-Spam

High protection

Identifies spam based on IP address database of known spammers

Block List Anti-Spam


Identifies spam based on domains or IP addresses that you define

Mail Anti-Virus


Scans and filters emails for viruses and other malware

Zero hour malware protection


Does not scan the Internet to identify and filter new virus email attacks

The Zero hour malware protection feature is set to Off because enabling the feature has a negative effect on network performance.

Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print