In This Section: |
Threat Emulation connects to the ThreatCloud to update the engine and the operating system images. The default setting for the Threat Emulation appliance is to automatically update the engine and images.
The default setting is to download the package once a day.
Best Practice - Configure Threat Emulation to download the package when there is low network activity.
Update packages for the Threat Emulation operating system images are usually more than 2GB. The actual size of the update package is related to your configuration.
To enable or disable Automatic Updates for Threat Emulation:
The Updates page opens.
Update packages for the Threat Emulation operating system images are usually more than several Gigabytes. The actual size of the update package is related to your configuration.
The default setting is to download the package once a week on Sunday. If Sunday is a work day, we recommend that you change the update setting to a non-work day.
To update the operating system image for Threat Emulation on a gateway:
The Updates page opens.
Emulation Connection Handling Mode lets you configure Threat Emulation to allow or block a connection while it finishes the analysis of a file. You can also specify a different mode for SMTP and HTTP services.
Best Practice - For configurations that use Hold mode for SMTP traffic, we recommend that you use an MTA deployment.
If you are using the Prevent action, a file that Threat Emulation already identified as malware is blocked. Users cannot get the file even in Background mode.
To configure the Threat Emulation Connection Handling Mode:
If an attachment to an email is found to be malicious, you can select to block or allow the original email without the attachment.
If you select to allow the original email, you can click Configure Mail Subject to add a message which warns not to open the email.
Best Practice - If an attachment is found to be malicious, we recommend not to open the original email.
Static Analysis optimizes file analysis by doing an initial analysis on files. If the analysis finds that the file is simple and cannot contain malicious code, the file is sent to the destination without additional emulation. Static analysis significantly reduces the number of files that are sent for emulation. If you disable it, you increase the percentage of files that are sent for full emulation. The Security Gateways do static analysis by default, and you have the option to disable it.
To disable static analysis for the Threat Prevention profile:
Lets you configure the system to generate logs for each file after emulation is complete.
To only generate Threat Emulation logs for files that contain malware:
The MTA Advanced Settings window lets you configure which interfaces on the Security Gateway are listening to SMTP traffic that is sent to Threat Emulation.
Use the Mail Settings section to define these settings:
Emails that are in the MTA longer than the Maximum delayed time are blocked or allowed without processing. The Troubleshooting setting lets you receive a log or alert when one of the limits is exceeded.
To configure the MTA advanced settings:
The Mail Transfer Agent page opens.
The MTA Advanced Settings window opens.
To disable the MTA:
The MTA address can be saved in the cache. If the MTA queue is not empty, or you disable the MTA first, it is possible to lose emails that are sent to the network.
To disable MTA for email that is sent to the internal mail server:
To disable MTA for email that is sent to a different MTA:
To disable the Security Gateway as an MTA:
The Mail Transfer Agent page opens.
You can change these advanced settings on the Emulation appliance to fine-tune Threat Emulation for your deployment.
You can change the Threat Emulation protection Activation Mode of the Security Gateway or Emulation appliance. The emulation can use the Prevent action that is defined in the Threat Prevention policy or only Detect and log malware.
To configure the activation mode:
The Gateway Properties window opens.
The Threat Emulation page opens.
When you run the Threat Emulation First Time Configuration Wizard, you select the location of the emulation analysis. You can use the Threat Emulation window in Gateway Properties to change the location.
Note - The Threat Prevention policy defines the analysis location that is used for emulation. |
You can send files that are not supported on the local Emulation appliance to the ThreatCloud for emulation.
To change the location of the emulation analysis:
The Gateway Properties window opens.
The Threat Emulation page opens.
If files are not supported on the Emulation appliance and they are supported in the ThreatCloud, they are sent to the ThreatCloud for emulation. No additional license is necessary for these files.
To prevent too many files that are waiting for emulation, configure these emulation limits settings:
If emulation is not done on a file for one of these reasons, the Fail Mode settings for Threat Prevention define if a file is allowed or blocked.
You can configure the maximum amount of time that a file waits for the Threat Emulation Software Blade to do emulation of a file. There is a different setting that configures the maximum amount of time that emails are held in the MTA.
If the file is waiting for emulation more than the maximum time:
The Threat Emulation Engine Settings window opens.
The Threat Emulation Settings window opens.
When a Threat Emulation analysis finds that a file is clean, the file hash is saved in a cache. Before Threat Emulation sends a new file to emulation, it compares the new file to the cache. If there is a match, it is not necessary to send it for additional emulation. Threat Emulation uses the cache to help optimize network performance.
Best Practice - Do not change this setting.
The Threat Prevention Engine Settings window opens.
The Threat Emulation Settings window opens.
The Resource Allocation settings are only for deployments that use an Emulation appliance. Threat Emulation uses system resources for emulation to identify malware and suspicious behavior. You can use the Resource Allocation settings to configure how much of the Emulation appliance resources are used for emulation. When you change these settings, it can affect the network and emulation performance. You can configure the settings for these system resources:
Minimum available hard disk space (If no emulation is done on a file, the Threat Prevention Fail Mode settings determine if the file is allowed or blocked)
Maximum available RAM that can be used for Virtual Machines
If you plan to change the available RAM, these are the recommended settings:
If the appliance is only used for Threat Emulation, increase the available RAM
If the appliance is also used for other Software Blades, decrease the available RAM
To optimize the system resources for the Emulation appliance:
The Gateway Properties window opens.
The Advanced page opens.
<value>
Start deleting old files, you can then change the <value>
. Default is 5GB.The default value is 70% of the total RAM on the appliance.
The Memory Allocation Configuration window opens.
You can define the operating system images that Threat Emulation uses, for each appliance, and for each Threat Emulation profile. If different images are defined for a profile and for an appliance, Threat Emulation will use the images that are selected in both places. An image that is selected only for the appliance or for the profile will not be used for emulation.
To manage the images that the appliance uses for emulation:
The Gateway Properties window opens.
The Advanced page opens.
The Emulation appliance must have a virtual IP address and netmask to do file emulation. This setting is not used for emulation in the ThreatCloud.
Important - Only change this virtual IP address if it is already used in your network. |
To change the IP address of the virtual interface:
The Threat Emulation Settings window opens.