Print Download PDF Send Feedback

Previous

Next

Creating Threat Prevention Rules

In This Section:

Configuring Mail Settings

Configuring IPS Profile Settings

Configuring Anti-Virus Settings

Configuring Anti-Bot Settings

Configuring Threat Emulation Settings

Configuring Threat Extraction Settings

Configuring a Malware DNS Trap

Exception Rules

Create and manage the policy for the Threat Prevention Software Blade as part of the Threat Prevention Policy.

Click the Add Rule button to get started.

Best Practice - Disable a rule when you work on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Gateway. To disable a rule, right click in the No. column of the rule and select Disable.

Configuring Mail Settings

General

General

Malicious Email Policy on MTA Gateways

In this section you can decide whether to block or allow an email which was found malicious.

If you allow the email, you can select any or all of these options:

Send a copy to the following list - This option is available both if you allow or block the malicious email. With this option, the original email (with the malicious attachments and links) is attached to a new email, which contains: the verdict list with the neutralized links and attachment file names, and the SMTP envelope information. You can configure the email content on the gateway. You can use this option for research purposes. For example: The Incident Response Team needs to inquire the emails received in the organization for improved security and protection.

Use Case

The configuration in the Mail page lets you block or allow malicious emails. However, you do not want to configure a global decision regarding all malicious emails. You prefer to make a decision per each email separately, on a case-by-case basis. For that purpose, you need to create a system in which Threat Emulation allows the emails, but does not send them to the recipient right away. Instead, it puts them in a container where you can check them and then decide whether to block or allow them.

To configure external quarantine for malicious emails:

In SmartConsole:

  1. Enable MTA on your gateway.
  2. Clone the Profile you wish to configure and rename it.
  3. In the new profile, go to Mail > General > Malicious Email Policy on MTA Gateways and select Allow the email.
  4. Clear Remove attachments and links.
  5. Select Add an X-Header to the email.

    Note - When you add an X-Header to the email, the rest of the email is kept in the email's original form. The other options: Remove attachments and links, Add a prefix to the email subject and Add customized text to the email body, change the email, and therefore must be cleared.

  6. Click OK.
  7. Install Policy.

In the Next Hop:

  1. Configure a rule which quarantines all emails which were marked with an X-Header by the MTA.

You can now see the emails in the Next Hop in their original forms and examine them. After you examine the emails in the Next Hop, you can decide whether to allow or block them.

Exceptions

You can exclude specific email addresses from the Threat Emulation or Threat Extraction protections.

To exclude emails from Threat Emulation:

  1. In Emulation Exceptions, click Configure.
  2. In the Recipients section, click the + button to enter one or more emails.

    Emails and attachments that are sent to these recipients will not be sent for emulation.

  3. In the Senders section, click the + button to enter one or more emails.

    Emails and attachments that are received from these senders will not be sent for emulation.

    Note - You can use a wildcard character to exclude more than one email address from a domain.

  4. Click OK.

Note - If you want to do emulation on outgoing emails, make sure that you set the Protected Scope to Inspect incoming and outgoing files.

To exclude emails from Threat Extraction:

  1. In Extraction Exclusion/Inclusion:
    • Select Scan all emails (selected by default) and click Exceptions.

      Click the + button to exclude specific recipients, users, groups or senders.

    • Select Scan mail only for specific users or groups and click Configure.

      Click the Add button to exclude specific User Groups, Recipients or Senders.

  2. Click OK.

Examples:

A user is an object that can contain an email address with other details.

A group is an AD group or an LDAP group of users

A recipient is an email address only.

Important: In the main SmartConsole menu > Global Properties > User Directory, make sure that you selected Use User Directory for Security Gateways.

Signed Email Attachments

Signed emails are not encrypted, but the mail contents are signed to authenticate the sender. If the received email differs from the email that was sent, the recipient gets a warning, and the digital signature is no longer valid.

Clean replaces the original attachment with an attachment cleaned of threats, or converts the attachment to PDF form. Both actions invalidate the digital signature. If the attachment does not include active content, the mail remains unmodified and the digital signature valid.

Allow does not change the email. The digital signature remains valid. Select this option to prevent altering digital signatures.

MIME Nesting

This is an optional configuration. In this section, you can configure the maximum number of MIME nesting levels to be scanned (A nesting level is an email within an email). These settings are the same for Anti-Virus, Threat Emulation and Threat Extraction.

Configuring Inspection of Links Inside Mail

Inspection of Links Inside Mail scans URL links in email messages. Inspection of Links Inside Mail is on by default, and is supported with the Anti-Virus, Anti-Bot and Threat Emulation blades. Inspection of Links Inside Mail scans incoming mail with the Anti-Virus Software Blade and outgoing mail with Anti-Bot Software Blade. For the Threat Emulation blade, only URL links to files are scanned. You must enable MTA for Inspection of Links Inside Mail to work with the Threat Emulation blade.

On this page, you can configure these settings:

To turn off Inspection of Links Inside Mail:

  1. Go to Security Policies > Threat Prevention > Threat Tools > Protections.
  2. Right-click on a Links Inside Mail protection, and select Inactive Selected.

    Note - For each Software Blade (Anti-Bot and Anti-Virus) you must turn off the Links Inside Mail separately.

To turn on Inspection of Links Inside Mail:

  1. Go to Security Policies > Threat Prevention > Threat Tools > Protections.
  2. Right-click on a Links Inside Mail protection, and select one of these -
    • Prevent Selected
    • Detect Selected

Configuring IPS Profile Settings

To configure IPS settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click IPS > Additional Activation.
  5. Configure the customized protections for the profile.
  6. From the navigation tree, click IPS > Updates.
  7. Configure the settings for newly downloaded IPS protections.
  8. If you import IPS profiles from a pre-R80 deployment:
    1. From the navigation tree, click IPS > Pre-R80 Settings.
    2. Activate the applicable Client and Server protections.
    3. Configure the IPS protection categories to exclude from this profile.

    Note - These categories are different from the protections in the Additional Activation page.

  9. Click OK.
  10. Install Policy.

Updates

There are numerous protections available in IPS. It takes time to become familiar with those that are relevant to your environment. Some are easily configured for basic security and can be safely activated automatically.

In the Threat Prevention profile, you can configure an updates policy for IPS protections that were newly updated. You can do this with the IPS > Updates page in the Profiles navigation tree. Select one of these settings for Newly Updated Protections:

Best Practice - In the beginning, allow IPS to activate protections based on the IPS policy. During this time, you can analyze the alerts that IPS generates and how it handles network traffic, while you minimize the impact on the flow of traffic. Then you can manually change the protection settings to suit your needs.

Pre R80 Settings

The Pre-R80 Settings are relevant for the pre-R80 gateways only.

Protections Activation

Activate protections of the following types:

Excluded Protections Categories

Do not activate protections of the following categories - The IPS protection categories you select here are not automatically activated. They are excluded from the Threat Prevention policy rule that has this profile in the action of the Rule Base.

Configuring Anti-Virus Settings

You can configure Threat Prevention to exclude files from inspection, such as internal emails and internal file transfers. These settings are based on the interface type (internal or external, as defined in SmartConsole) and traffic direction (incoming or outgoing).

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Network Management and then double-click a DMZ interface.
  3. In the General page of the Interface window, click Modify.
  4. In the Topology Settings window, click Override and Interface leads to DMZ.
  5. Click OK and close the gateway window.

    Perform this procedure for each interface that goes to the DMZ.

You can configure these Anti-Virus settings in the Anti-Virus page:

Enabling Archive Scanning

You can configure the Anti-Virus settings to enable archive scanning. The Anti-Virus engine unpacks archives and applies proactive heuristics. The use of this feature impacts network performance.

Select Enable Archive scanning (impacts performance) and click Configure:

  1. Stop processing archive after (seconds) - Sets the amount in seconds to stop processing the archive. The default is 30 seconds.
  2. When maximum time is exceeded (action on file) - Sets to block or allow the file when the time for processing the archive is exceeded. The default setting is Allow.

Blocking Viruses

To block viruses and malware in your organization:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
  2. In the General Properties page, select the Anti-Virus Software Blade.

    The First Time Activation window opens.

  3. Select According to the Anti-Bot and Anti-Virus policy and click OK.
  4. Close the gateway Properties window and publish the changes.
  5. Click Security Policies > Threat Prevention > Policy > Threat Prevention.
  6. Click Add Rule.

    A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

  7. Make a rule that includes these components:
    • Name - Give the rule a name such as Block Virus Activity.
    • Protected Scope - The list of network objects you want to protect. In this example, the Any network object is used.
    • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
    • Track - The type of log you want to get when detecting malware on this scope. In this example, keep Log and also select Packet Capture to capture the packets of malicious activity. You will then be able to view the actual packets in SmartConsole > Logs & Monitor > Logs.
    • Install On - Keep it as All or choose specified gateways to install the rule on.
  8. Install the Threat Prevention policy.

Configuring Anti-Bot Settings

Here you can configure the Anti-Bot UserCheck Settings:

Blocking Bots

To block bots in your organization, install this default Threat Policy rule that uses the Optimized profile, or create a new rule.

Protected Scope

Action

Track

Install On

*Any

Optimized

Log

Packet Capture

*Policy Targets

To block bots in your organization:

  1. In SmartConsole, click Gateways & Servers.
  2. Enable the Anti-Bot Software Blade on the Gateways that protect your organization. For each Gateway:
    1. Double-click the Gateway object.
    2. In the Gateway Properties page, select the Anti-Bot Software Blade.

      The First Time Activation window opens.

    3. Select According to the Anti-Bot and Anti-Virus policy
    4. Click OK.
  3. Click Security Policies > Threat Prevention > Policy > Threat Prevention.

    You can block bots with the out-of-the-box Threat Prevention policy rule with the default Optimized Profile.

    Alternatively, add a new Threat Prevention rule:

    1. Click Add Rule.

      A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

    2. Make a rule that includes these components:
      • Name - Give the rule a name such as Block Bot Activity.
      • Protected Scope - The list of network objects you want to protect. By default, the Any network object is used.
      • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
      • Track - The type of log you want to get when the gateway detects malware on this scope.
      • Install On - Keep it as Policy Targets or select Gateways to install the rule on.
  4. Install the Threat Prevention policy.

Monitoring Bot Activity

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Action

Track

Install On

Monitor Bot activity

*Any

A profile that has these changes relative to the Optimized profile:

Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect.

Log

*Policy Targets

To monitor all bot activity:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. Create a new profile:
    1. From the Threat Tools section, click Profiles.

      The Profiles page opens.

    2. Right-click a profile and select Clone.
    3. Give the profile a name such as Monitoring_Profile.
    4. Edit the profile, and under Activation Mode, configure all confidence level settings to Detect.
    5. Select the Performance Impact - for example, Medium or lower.

    This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.

  3. Create a new rule:
    1. Click Threat Prevention > Policy > Threat Prevention.
    2. Add a rule to the Rule Base.

      The first rule that matches is applied.

    3. Make a rule that includes these components:
      • Name - Give the rule a name such as Monitor Bot Activity.
      • Protected Scope - Keep Any so the rule applies to all traffic in the organization.
      • Action - Right-click in this cell and select Monitoring_Profile.
      • Track - Keep Log.
      • Install On - Keep it as Policy Targets or choose Gateways to install the rule on.
  4. Install the Threat Prevention policy.

Disabling a Protection on One Server

Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?

In this example, create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Protection/Site

Action

Track

Install On

Monitor Bot Activity

* Any

- N/A

A profile based on the Optimized profile.

Edit this profile > go to the General Policy pane> in the Activation Mode section, set every Confidence to Prevent.

Log

Policy Targets

Exclude

Server_1

Backdoor.Win32.Agent.AH

Detect

Log

Server_1

To add an exception to a rule:

  1. In SmartConsole, click Threat Prevention > Policy > Layer.
  2. Click the rule that contains the scope of Server_1.
  3. Click the Add Exception toolbar button to add the exception to the rule. The gateway applies the first exception matched.
  4. Right-click the rule and select New Exception.
  5. Configure these settings:
    • Name - Give the exception a name such as Exclude.
    • Protected Scope - Change it to Server_1 so that it applies to all detections on the server.
    • Protection/Site - Click + in the cell. From the drop-down menu, click the category and select one or more of the items to exclude.

      Note - To add EICAR files as exceptions, you must add them as Whitelist Files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.

    • Action - Keep it as Detect.
    • Track - Keep it as Log.
    • Install On - Keep it as Policy Targets or select specified gateways to install the rule on.
  6. Install Policy.

Configuring Threat Emulation Settings

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Network Management and then double-click a DMZ interface.
  3. In the General page of the Interface window, click Modify.
  4. In the Topology Settings window, click Override and Interface leads to DMZ.
  5. Click OK and close the gateway window.

Do this procedure for each interface that goes to the DMZ.

If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used.

To configure Threat Emulation settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, go to Threat Emulation and configure these settings:
    1. General Threat Emulation Settings.
    2. Emulation Environment
    3. Advanced Threat Emulation Settings.
  5. Click OK and close the Threat Prevention profile window.
  6. Install the Threat Prevention policy.

Selecting the Threat Emulation Action

What are the available emulation actions that I can use with a Threat Emulation profile?

Threat Emulation General Settings

On the Threat Emulation > General page, you can configure these settings:

UserCheck Settings:

Protected Scope:

Select an interface type and traffic direction option:

Protocols

Protocols to be emulated:

File Types

Here you can configure the Threat Emulation Action and Emulation Location for each file type scanned by the Threat Emulation blade. Select one of these:

Archives

Block archives containing these prohibited file types. Click Configure to select the prohibited file types. If a prohibited file type is in an archive, the gateway drops the archive.

Emulation Environment

You can use the Emulation Environment window to configure the emulation location and images that are used for this profile:

Advanced Threat Emulation Settings

Preparing for Local or Remote Emulation

Prepare the network and Emulation appliance for a Local or Remote deployment in the internal network.

  1. Open SmartConsole.
  2. Create the network object for the Emulation appliance.
  3. If you are running emulation on HTTPS traffic, configure the settings for HTTPS Inspection.
  4. Make sure that the traffic is sent to the appliance according to the deployment:
    • Local Emulation - The Emulation appliance receives the traffic. The appliance can be configured for traffic the same as a Security Gateway.
    • Remote Emulation - The traffic is routed to the Emulation appliance.

Configuring Threat Extraction Settings

To configure Threat Extraction settings for a Threat Prevention profile:

  1. In the Security Policies view > Threat Tools section, click Profiles.
  2. Right-click a profile and select Edit.

    The Profiles properties window opens.

  3. On the General Policy page in the Blade Activation area, select Threat Extraction.
  4. Configure these Threat Extraction Settings:
  5. Click OK.

Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613.

Threat Extraction General Settings

On the Threat Extraction > General page, you can configure these settings:

UserCheck Settings

Protocol

For information on storage of the original files, see Storage of Original Files.

Extraction Method

Extraction Settings

File Types

Notes:

For e-mail attachments:

Protected Scope

Threat Extraction protects incoming files from external interfaces and DMZ. The user cannot configure the protected scope.

Threat Extraction Advanced Settings

On the Threat Extraction > Advanced page, you can configure these settings:

Configuring Threat Extraction on the Security Gateway

To configure the Threat Extraction blade on the gateway:

  1. Enable the Threat Extraction Blade:
    1. On the General Properties > Network Security tab, select Threat Extraction.

      The Threat Extraction First Time Activation Wizard opens.

    2. Optional: If you want Threat Extraction to scan email attachments, you must enable the MTA and configure the Domain and Next Hop.

      If you do not want Threat Extraction to scan email attachments, click Skip this configuration now.

    3. Click Next.
    4. Click Finish.
  2. In the Gateways & Servers view, open the gateway properties > Threat Extraction page.
  3. Make sure the Activation Mode is set to Active.
  4. In the Resource Allocation section, configure the resource settings.
  5. Click OK.
  6. Install the Access Control Policy.

In addition to configuring Threat Extraction on the gateway, enable Threat Extraction to scan one or all of these types of documents:

Configuring a Malware DNS Trap

The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateways external IP address as the DNS trap address but:

You can also add internal DNS servers to better identify the origin of malicious DNS requests.

Using the Malware DNS Trap you can detect compromised clients by checking logs with connection attempts to the false IP address.

At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific gateway.

To set the Malware DNS Trap parameters for the profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click Malware DNS Trap.
  5. Click Activate DNS Trap.
  6. Enter the IP address for the DNS trap.
  7. Optional: Add Internal DNS Servers to identify the origin of malicious DNS requests.
  8. Click OK and close the Threat Prevention profile window.
  9. Install the Threat Prevention policy.

To set the Malware DNS Trap parameters for a gateway:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, select Anti-Bot and Anti-Virus.
  3. In the Malicious DNS Trap section, select one of these options:
    • According to profile settings - Use the Malware DNS Trap IP address configured for each profile.
    • IPv4 - Enter an IP address to be used in all the profiles assigned to this Security Gateway.
  4. Click OK.
  5. Install the policy.

Exception Rules

If necessary, you can add an exception directly to a rule. An exception sets a different Action to an object in the Protected Scope from the Action specified Threat Prevention rule. In general, exceptions are designed to give you the option to reduce the level of enforcement of a specific protection and not to increase it. For example: The Research and Development (R&D) network protections are included in a profile with the Prevent action. You can define an exception which sets the specific R&D network to Detect. For some Anti-Bot and IPS signatures only, you can define exceptions which are stricter than the profile action.

You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule Base. It is identified in the No. column with the rule's number plus the letter E and a digit that represents the exception number. For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.

You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.

You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the No. column.

To add an exception to a rule:

  1. In the Policy pane, select the rule to which you want to add an exception.
  2. Click Add Exception.
  3. Select the Above, Below, or Bottom option according to where you want to place the exception.
  4. Enter values for the columns. Including these:
    • Protected Scope - Change it to reflect the relevant objects.
    • Protection - Click the plus sign in the cell to open the Protections viewer. Select the protection(s) and click OK.
  5. Install Policy.

Note - You cannot set an exception rule to an inactive protection or an inactive blade.

Blade Exceptions

You can also configure an exception for an entire blade.

To configure a blade exception:

  1. In the Policy, select the Layer rule to which you want to add an exception.
  2. Click Add Exception.
  3. Select the Above, Below, or Bottom option according to where you want to place the exception.
  4. In the Protection/Site column, select Blades from the drop-down menu.
  5. Select the blade you want to exclude.
  6. Install Policy.