Threat Emulation - General

What can I do here?

Use this window to configure general Threat Emulation settings.

Getting Here - Security Policies Threat Prevention > Policy > Threat Tools > Profiles > Profile > Threat Emulation - General

Configuring Threat Emulation Settings

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Network Management and then double-click a DMZ interface.
3. In the General page of the Interface window, click Modify.
4. In the Topology Settings window, click Override and Interface leads to DMZ.
5. Click OK and close the gateway window.

Do this procedure for each interface that goes to the DMZ.

If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used.

Note - The MIME Nesting settings are the same for Anti-Virus, Threat Emulation and Threat Extraction.

To configure Threat Emulation settings for a Threat Prevention profile:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Profiles.

   The Profiles page opens.

3. Right-click the profile, and click Edit.
4. From the navigation tree, click Threat Emulation > General.
5. Select the Threat Emulation UserCheck Settings options:
   • Prevent - Select the UserCheck message that opens for a Prevent action
   • Ask - Select the UserCheck message that opens for an Ask action
6. In the Protected Scope section, select an interface type and traffic direction option:
7. Select the applicable Protocols to be emulated.
8. In the Protected Scope section, select an interface type and traffic direction option:
   • Inspect incoming files from:

     Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:

     • External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
     • External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
     • All - Inspect all incoming files from all interface types.
   • Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
9. Optional: Configure how Threat Emulation does emulation for SMTP traffic. Click the Mail link.
10. Select the File Types to be emulated.
11. In Archives, click Configure to block archives that contain file types selected in the list.
12. Click OK and close the Threat Prevention profile window.
13. Install the Threat Prevention policy.

Threat Emulation General Settings

On the Threat Emulation > General page, you can configure these settings:

• UserCheck Settings:
  • Prevent - Select the UserCheck message that opens for a Prevent action
  • Ask - Select the UserCheck message that opens for an Ask action
• Protected Scope. Select an interface type and traffic direction option:
  • Inspect incoming files from the following interfaces:

    Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:

    • External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
    • External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
    • All - Inspect all incoming files from all interface types.
  • Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
• Protocols to be emulated.
  • HTTP
  • Mail (SMTP) - Click Mail to configure the SMTP traffic inspection by the Threat Emulation blade. This links you to the Mail page of the Profile settings.
• File Types. Here you can configure the Threat Emulation Action and Emulation Location for each file type scanned by the Threat Emulation blade. Select one of these:
  • Process all enabled file types - This option is selected by default. Click the blue link to see the list of supported file types. Out of the supported file types, select the files to be scanned by the Threat Emulation blade.

    Note - you can find this list of supported file types also in Manage & Settings view > Blades > Threat Prevention > Advanced Settings > Threat Emulation > File Type Support.

  • Process specific file type families - Click Configure to change the action or emulation location for the scanned file types.

    To change the emulation action for a file type, click the applicable action in the Action column and select one of these options:

    • Inspect - The Threat Emulation blade scans these files.
    • Bypass - Files of this type are considered safe and the Software Blade does not do emulation for them.

    To change the emulation location for a file type, click Emulation Location and select one of these options:

    • According to gateway - The Emulation Location is according to the settings defined in the Gateway Properties window of each gateway.
    • Locally - Emulation for these file types is done on the gateway.
    • ThreatCloud - These file types are sent to the ThreatCloud for emulation.
• Archives - Block archives containing these prohibited file types. Click Configure to select the prohibited file types. If a prohibited file type is in an archive, the gateway drops the archive.

Emulation Environment

You can use the Emulation Environment window to configure the emulation location and images that are used for this profile:

• The Analysis Locations section lets you select where the emulation is done
  • Check Point ThreatCloud - Files are sent to the Check Point ThreatCloud for emulation. The emulation in the ThreatCloud is identical to a local emulation but it does not use CPU, RAM, and disk space on a local appliance. When you configure ThreatCloud emulation, a secure SSL connection is created between the company's Security Gateway and the ThreatCloud. Files are sent to the ThreatCloud over this secure connection for emulation. The results are sent back to the Security Gateway and the applicable action is done to the file.
  • Local Threat Emulation appliance - The Emulation appliance that does the emulation and file analysis. Threat Emulation uses the CPU, RAM and disk space of the appliance to do the emulation.
  • Other Threat Emulation appliance - Enable Threat Emulation on a Security Gateway and select the Emulation appliance that does the emulation.
  • To use the Security Gateway settings for the location of the virtual environment, click According to the gateway.
  • To configure the profile to use a different location of the virtual environment, click Specify and select the applicable option.

    Note - In the Remote Emulation Appliances option, for R80.10 gateways with Jumbo Hotfix and R80.20 gateways, you can select multiple appliances for remote emulation. For older gateways, you can select only one appliance for remote emulation.

• The Environments section lets you select the operating system images on which the emulation is run. If the images defined in the profile and the Security Gateway or Emulation appliance are different, the profile settings are used.

  These are the options to select the emulation images:

  • To use the emulation environments recommended by Check Point security analysts, click Use Check Point recommended emulation environments
  • To select other images for emulation, that are closest to the operating systems for the computers in your organization, click Use the following emulation environments

Advanced Threat Emulation Settings

• Emulation Connection Handling Mode lets you configure Threat Emulation to allow or block a connection while it finishes the analysis of a file. You can also specify a different mode for SMTP and HTTP services.
  • Background - The connection is allowed and the file goes to the destination even if the emulation is not finished.
  • Hold - A connection that must have emulation is blocked and Threat Emulation holds the file until the emulation is complete. This option can create a time-delay for users to receive emails and files.
  • Custom - Lets you configure different modes for HTTP and SMTP. For example, you can set HTTP to Background and SMTP to Hold.

  Best Practice - For configurations that use Hold mode for SMTP traffic, we recommend that you use an MTA deployment.

  If you use the Prevent action, a file that Threat Emulation already identified as malware is blocked. Users cannot get the file even in Background mode.

• Static Analysis optimizes file analysis by doing an initial analysis on files. If the analysis finds that the file is simple and cannot contain malicious code, the file is sent to the destination without additional emulation. Static analysis significantly reduces the number of files that are sent for emulation. If you disable it, you increase the percentage of files that are sent for full emulation. The Security Gateways do static analysis by default, and you have the option to disable it.
• Logging lets you configure the system to generate logs for each file after emulation is complete.