Configuring Advanced Threat Emulation Settings

Updating Threat Emulation

Threat Emulation connects to the ThreatCloud to update the engine and the operating system images. The default setting for the Threat Emulation appliance is to automatically update the engine and images.

The default setting is to download the package once a day.

Best Practice - Configure Threat Emulation to download the package when there is low network activity.

Update packages for the Threat Emulation operating system images are usually more than 2GB. The actual size of the update package is related to your configuration.

To enable or disable Automatic Updates for Threat Emulation:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Updates.

   The Updates page opens.

3. Under Threat Emulation, click Schedule Update.
4. Select or clear these settings:
   • Enable Threat Emulation engine scheduled update
   • Enable Threat Emulation images scheduled update
5. Click Configure to configure the schedule for Threat Emulation engine or image updates.
6. Configure the automatic update settings to update the database:
   • To update once a day, select At and enter the time of day
   • To update multiple times a day, select Every and set the time interval
   • To update once or more for each week or month:
   1. Select At and enter the time of day.
   2. Click Days.
   3. Click Days of week or Days of month.
   4. Select the applicable days.
7. Click OK and then install the Threat Prevention policy.

Threat Emulation Images

Update packages for the Threat Emulation operating system images are usually more than several Gigabytes. The actual size of the update package is related to your configuration.

The default setting is to download the package once a week on Sunday. If Sunday is a work day, we recommend that you change the update setting to a non-work day.

To update the operating system image for Threat Emulation on a gateway:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Updates.

   The Updates page opens.

3. Under Threat Emulation, click Update Images.
4. Select a gateway and click OK.
5. Install the Threat Prevention policy.

Handling Connections During Emulation

Emulation Connection Handling Mode lets you configure Threat Emulation to allow or block a connection while it finishes the analysis of a file. You can also specify a different mode for SMTP and HTTP services.

• Background - The connection is allowed and the file goes to the destination even if the emulation is not finished.
• Hold - A connection that must have emulation is blocked and Threat Emulation holds the file until the emulation is complete. This option can create a time-delay for users to receive emails and files.
• Custom - Lets you configure different modes for HTTP and SMTP. For example, you can set HTTP to Background and SMTP to Hold.

Best Practice - For configurations that use Hold mode for SMTP traffic, we recommend that you use an MTA deployment.

If you are using the Prevent action, a file that Threat Emulation already identified as malware is blocked. Users cannot get the file even in Background mode.

To configure the Threat Emulation Connection Handling Mode:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Profiles.
3. Double-click the Threat Prevention profile.
4. From the navigation tree, select Threat Emulation > Advanced.
5. From the Emulation Connection Handling Mode section, select an option:
   • Background - Files are sent to destination even if the Threat Emulation analysis is not finished
   • Hold - Connections that must have emulation are blocked until the Threat Emulation analysis is finished
   • Custom - Select this option and click Customize to configure Background or Hold modes for SMTP and HTTP services
6. Click OK.
7. Install the Threat Prevention policy.

Mail Transfer Agent Configuration

If an attachment to an email is found to be malicious, you can select to block or allow the original email without the attachment.

Configure Mail Subject

If you select to allow the original email, you can click Configure Mail Subject to add a message which warns not to open the email.

Best Practice - If an attachment is found to be malicious, we recommend not to open the original email.

Static Analysis

Static Analysis optimizes file analysis by doing an initial analysis on files. If the analysis finds that the file is simple and cannot contain malicious code, the file is sent to the destination without additional emulation. Static analysis significantly reduces the number of files that are sent for emulation. If you disable it, you increase the percentage of files that are sent for full emulation. The Security Gateways do static analysis by default, and you have the option to disable it.

To disable static analysis for the Threat Prevention profile:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Profiles.
3. Double-click the Threat Prevention profile.
4. From the navigation tree, select Threat Emulation > Advanced.
5. From the Engine settings section, select Disable static analysis for filtering files.
6. To enable static analysis, clear Disable static analysis for filtering files.
7. Click OK.
8. Install the Threat Prevention policy.

Threat Emulation Logs

Lets you configure the system to generate logs for each file after emulation is complete.

To only generate Threat Emulation logs for files that contain malware:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Profiles.
3. Double-click the Threat Prevention profile.
4. From the navigation tree, select Threat Emulation > Advanced.
5. From the Logging section, clear Log every file scanned.
6. To generate logs for each file after emulation is complete, select Log every file scanned.
7. Click OK.
8. Install the Threat Prevention policy.

Configuring MTA Advanced Settings

The MTA Advanced Settings window lets you configure which interfaces on the Security Gateway are listening to SMTP traffic that is sent to Threat Emulation.

Use the Mail Settings section to define these settings:

• Maximum time that emails are kept in the MTA queue.
• The MTA hard drive limit. When this limit is reached, the MTA stops processing emails.
• Use the Troubleshooting section to generate a log or send an alert if emails are delayed in the MTA.

Emails that are in the MTA longer than the Maximum delayed time are blocked or allowed without processing. The Troubleshooting setting lets you receive a log or alert when one of the limits is exceeded.

To configure the MTA advanced settings:

1. Double-click the Security Gateway and from the navigation tree select Mail Transfer Agent.

   The Mail Transfer Agent page opens.

2. In the Advanced Settings section, click Configure Settings.

   The MTA Advanced Settings window opens.

3. To configure the interfaces for SMTP traffic, select one of these options:
   • All interfaces - SMTP traffic from all the interfaces is sent for scanning
   • All external - SMTP traffic from the external interfaces is sent for scanning
   • Use specific - SMTP traffic from the list of specified interfaces is sent for scanning. To add an interface to the list, click the plus sign ( + ). To remove a selected interface from the list, click the minus sign ( - ).
4. To change the maximum number of minutes that the MTA keeps emails, configure Maximum delay time.
5. To change the MTA hard drive limit, configure these settings:
   • % of storage - The percentage limit of MTA hard disk space.
   • MB - Total MB limit of MTA hard disk space.
6. To change the action and tracking settings when the specified Mail Settings are exceeded, configure these settings:
   • Allow - SMTP traffic is allowed
   • Block - SMTP traffic is blocked
   • None - No logs are generated
   • Log - A log is generated in the Logs & Monitor view
   • Alert - Logs the event and sends the configured alert
7. To change the MTA Troubleshooting settings, configure these settings:
   • When mail is delayed for more than - Set the maximum number of minutes that email is delayed in the MTA before the track option is done
   • Track - Select None (no logs are generated), Log (logs generated in the Logs & Monitor view), Alert (logs the event and sends the configured alert).
8. Click OK.
9. Install Policy.

Disabling the MTA

To disable the MTA:

1. Configure the network to disable the MTA.
2. Disable MTA on the Security Gateway.

Configuring the Network to Disable the MTA

The MTA address can be saved in the cache. If the MTA queue is not empty, or you disable the MTA first, it is possible to lose emails that are sent to the network.

To disable MTA for email that is sent to the internal mail server:

1. Connect to the DNS settings for the network.
2. Change the MX records, and define the mail server as the next hop.
3. Wait for 24 hours.
4. Disable the MTA on the Security Gateway.

To disable MTA for email that is sent to a different MTA:

1. Connect to the SMTP settings on the MTA that sends SMTP traffic to the internal mail server.
2. Change the SMTP settings and define the mail server as the next hop.
3. Make sure that the MTA queue is empty.
4. Disable the MTA on the Security Gateway.

Disabling MTA on the Security Gateway

To disable the Security Gateway as an MTA:

1. Double-click the Security Gateway and from the navigation tree select Mail Transfer Agent.

   The Mail Transfer Agent page opens.

2. Clear Enable as a Mail Transfer Agent.
3. Click OK and then install the policy.

Fine-Tuning the Emulation Appliance

You can change these advanced settings on the Emulation appliance to fine-tune Threat Emulation for your deployment.

Setting the Activation Mode

You can change the Threat Emulation protection Activation Mode of the Security Gateway or Emulation appliance. The emulation can use the Prevent action that is defined in the Threat Prevention policy or only Detect and log malware.

To configure the activation mode:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the navigation tree, select Threat Emulation.

   The Threat Emulation page opens.

3. From the Activation Mode section, select one of these options:
   • According to policy
   • Detect only
4. Click OK and then install the policy.

Changing the Analysis Location

When you run the Threat Emulation First Time Configuration Wizard, you select the location of the emulation analysis. You can use the Threat Emulation window in Gateway Properties to change the location.

You can send files that are not supported on the local Emulation appliance to the ThreatCloud for emulation.

To change the location of the emulation analysis:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the navigation tree, select Threat Emulation.

   The Threat Emulation page opens.

3. From the Analysis Location section, select the emulation location:
   • Check Point ThreatCloud - Files are sent to the Check Point ThreatCloud for emulation
   • Locally - Select the Security Gateway that does the emulation and of the files
4. Optional: Select Emulate files on ThreatCloud if not supported locally.

   If files are not supported on the Emulation appliance and they are supported in the ThreatCloud, they are sent to the ThreatCloud for emulation. No additional license is necessary for these files.

5. Click OK.
6. Install the policy on the Emulation appliance.

Emulation Limits

To prevent too many files that are waiting for emulation, configure these emulation limits settings:

• Maximum file size
• Maximum time that the Software Blade does emulation
• Maximum time that a file waits for emulation in the queue (for Emulation appliance only)

If emulation is not done on a file for one of these reasons, the Fail Mode settings for Threat Prevention define if a file is allowed or blocked.

You can configure the maximum amount of time that a file waits for the Threat Emulation Software Blade to do emulation of a file. There is a different setting that configures the maximum amount of time that emails are held in the MTA.

If the file is waiting for emulation more than the maximum time:

• Threat Emulation Software Blade - The Threat Prevention profile settings define if a file is allowed or blocked
• MTA - The MTA settings define if a file is allowed or blocked

Configuring Emulation Limits

1. In SmartConsole, select Manage & Settings > Blades > Threat Prevention > Advanced Settings.

   The Threat Emulation Engine Settings window opens.

2. Click Configure settings.

   The Threat Emulation Settings window opens.

3. Configure the settings for the emulation limits.
   • From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation:
   • None - No action is done
   • Log - The action is logged
   • Alert - An alert is sent to SmartView Monitor
4. Click OK and then install the policy.

Changing the Local Cache

When a Threat Emulation analysis finds that a file is clean, the file hash is saved in a cache. Before Threat Emulation sends a new file to emulation, it compares the new file to the cache. If there is a match, it is not necessary to send it for additional emulation. Threat Emulation uses the cache to help optimize network performance.

Best Practice - Do not change this setting.

Changing the Size of the Local Cache

1. In SmartConsole, select Manage & Settings > Blades > Threat Prevention > Advanced Settings.

   The Threat Prevention Engine Settings window opens.

2. Click Configure Settings.

   The Threat Emulation Settings window opens.

3. From Number of file hashes to save in local cache, configure the number of file hashes that are stored in the cache.
4. Click OK and then install the policy.

Optimizing System Resources

The Resource Allocation settings are only for deployments that use an Emulation appliance. Threat Emulation uses system resources for emulation to identify malware and suspicious behavior. You can use the Resource Allocation settings to configure how much of the Emulation appliance resources are used for emulation. When you change these settings, it can affect the network and emulation performance. You can configure the settings for these system resources:

Minimum available hard disk space (If no emulation is done on a file, the Threat Prevention Fail Mode settings determine if the file is allowed or blocked)

Maximum available RAM that can be used for Virtual Machines

If you plan to change the available RAM, these are the recommended settings:

If the appliance is only used for Threat Emulation, increase the available RAM

If the appliance is also used for other Software Blades, decrease the available RAM

To optimize the system resources for the Emulation appliance:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the navigation tree, select Threat Emulation > Advanced.

   The Advanced page opens.

3. Stopping the emulation is determined when the Log storage mechanism automatically deletes log files. Therefore, in order to change the relevant configured value (Note - It also affects the Log's files deletion). Navigate to Logs > Local Storage. And from When disk space is below <value> Start deleting old files, you can then change the <value>. Default is 5GB.
4. To configure the maximum amount of RAM that is available for emulation, select Limit memory allocation.

   The default value is 70% of the total RAM on the appliance.

5. Optional: To change the amount of available RAM:
   1. Click Configure.

      The Memory Allocation Configuration window opens.

   2. Enter the value for the memory limit:
      • % of total memory - Percentage of the total RAM that Threat Emulation can use. Valid values are between 20 - 90%.
      • MB - Total MB of RAM that Threat Emulation can use. Valid values are between 512MB - 1000GB.
   3. Click OK.
6. From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation:
   • None - No action is done
   • Log - The action is logged
   • Alert - An alert is sent to SmartView Monitor
7. Click OK and then install the policy.

Managing Images for Emulation

You can define the operating system images that Threat Emulation uses, for each appliance, and for each Threat Emulation profile. If different images are defined for a profile and for an appliance, Threat Emulation will use the images that are selected in both places. An image that is selected only for the appliance or for the profile will not be used for emulation.

To manage the images that the appliance uses for emulation:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the navigation tree, select Threat Emulation > Advanced.

   The Advanced page opens.

3. From the Image Management section, select the applicable option for your network:
   • Use all the images that are assigned in the policy - The images that are configured in the Emulation Environment window are used for emulation.
   • Use specific images - Select one of more images that the Security Gateway can use for emulation.
4. Click OK and then install the policy.

Threat Emulation Virtual Interface

The Emulation appliance must have a virtual IP address and netmask to do file emulation. This setting is not used for emulation in the ThreatCloud.

To change the IP address of the virtual interface:

1. In SmartConsole, select Manage & Settings > Blades > Threat Prevention.
2. Under Threat Prevention, click Advanced Settings.
3. Scroll down and from the Threat Emulation Settings section, click Configure settings.

   The Threat Emulation Settings window opens.

4. Enter the Network and Mask for the IP address for the virtual interface.
5. Click OK and then install the policy.