Automatic Threat Analysis Settings

Define the automatic threat analysis settings in the Triggers and Automatic Response Action.

The automatic options are:

• Automatically analyze threats - Analyze incidents based on Check Point's recommended triggers (default).
• Automatically analyze and remediate infections - Analyze incidents based on Check Point's recommended triggers and apply remediation automatically.
• Do not analyze threats - Automatic Forensics analysis is turned off.

You can edit the selections manually to define when these processes occur.

The confidence level is how sure Endpoint Security is that a file is malicious. High confidence means that it is almost certain that a file is malicious. Medium confidence means that it is very likely that a file is malicious.

• Forensics Analysis - When Forensics analysis occurs.
• File Quarantine - When files are quarantined for Threat Emulation and Anti-Bot.
• Machine Quarantine - When machines are quarantined. If a computer is quarantined, the Firewall restricts network access.
• Attack Remediation - When remediation occurs for components that are part of an attack.

To granularly edit which type of events trigger a Forensics response:

1. In a SandBlast Agent Forensics and Remediation rule, right-click the Automatic Threat Analysis Action and select Edit Shared Action.
2. Click Override confidence level per specific event.

You can override the settings of the rule for up to five different events.

The Triggers include:

• Events detected by Endpoint Security components: Anti-Bot, Threat Emulation, Anti-Malware
• Events detected by Network components: Anti-Bot, Threat Emulation, Anti-Malware, URL Filtering

Configuring Network Blades for Forensics Triggers and Remediation

To make triggers and remediation work for events detected by Network Threat Prevention components, you must configure gateway policy for the Threat Prevention components: Anti-Bot, Anti-Virus, and Threat Emulation.

Each component must be enabled and have Protection settings of Prevent or Ask, which include UserCheck.

Best practice is to use the Threat Prevention Recommended Profile (default) that includes all required settings.