In This Section: |
Create and manage the policy for the Threat Prevention Software Blade as part of the Threat Prevention Policy.
Click the Add Rule button to get started.
Best Practice - Disable a rule when you work on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Gateway. To disable a rule, right click in the No. column of the rule and select Disable.
General
Malicious Email Policy on MTA Gateways
In this section you can decide whether to block or allow an email which was found malicious.
If you allow the email, you can select any or all of these options:
Send a copy to the following list - This option is available both if you allow or block the malicious email. With this option, the original email (with the malicious attachments and links) is attached to a new email, which contains: the verdict list with the neutralized links and attachment file names, and the SMTP envelope information. You can configure the email content on the gateway. You can use this option for research purposes. For example: The Incident Response Team needs to inquire the emails received in the organization for improved security and protection.
The configuration in the Mail page lets you block or allow malicious emails. However, you do not want to configure a global decision regarding all malicious emails. You prefer to make a decision per each email separately, on a case-by-case basis. For that purpose, you need to create a system in which Threat Emulation allows the emails, but does not send them to the recipient right away. Instead, it puts them in a container where you can check them and then decide whether to block or allow them.
To configure external quarantine for malicious emails:
In SmartConsole:
Note - When you add an X-Header to the email, the rest of the email is kept in the email's original form. The other options: Remove attachments and links, Add a prefix to the email subject and Add customized text to the email body, change the email, and therefore must be cleared.
In the Next Hop:
You can now see the emails in the Next Hop in their original forms and examine them. After you examine the emails in the Next Hop, you can decide whether to allow or block them.
You can exclude specific email addresses from the Threat Emulation or Threat Extraction protections.
To exclude emails from Threat Emulation:
Emails and attachments that are sent to these recipients will not be sent for emulation.
Emails and attachments that are received from these senders will not be sent for emulation.
Note - You can use a wildcard character to exclude more than one email address from a domain.
Note - If you want to do emulation on outgoing emails, make sure that you set the Protected Scope to Inspect incoming and outgoing files.
To exclude emails from Threat Extraction:
Click the + button to exclude specific recipients, users, groups or senders.
Click the Add button to exclude specific User Groups, Recipients or Senders.
Examples:
A user is an object that can contain an email address with other details.
A group is an AD group or an LDAP group of users
A recipient is an email address only.
Important: In the main SmartConsole menu > Global Properties > User Directory, make sure that you selected Use User Directory for Security Gateways.
Signed emails are not encrypted, but the mail contents are signed to authenticate the sender. If the received email differs from the email that was sent, the recipient gets a warning, and the digital signature is no longer valid.
Clean replaces the original attachment with an attachment cleaned of threats, or converts the attachment to PDF form. Both actions invalidate the digital signature. If the attachment does not include active content, the mail remains unmodified and the digital signature valid.
Allow does not change the email. The digital signature remains valid. Select this option to prevent altering digital signatures.
This is an optional configuration. In this section, you can configure the maximum number of MIME nesting levels to be scanned (A nesting level is an email within an email). These settings are the same for Anti-Virus, Threat Emulation and Threat Extraction.
Inspection of Links Inside Mail scans URL links in email messages. Inspection of Links Inside Mail is on by default, and is supported with the Anti-Virus, Anti-Bot and Threat Emulation blades. Inspection of Links Inside Mail scans incoming mail with the Anti-Virus Software Blade and outgoing mail with Anti-Bot Software Blade. For the Threat Emulation blade, only URL links to files are scanned. You must enable MTA for Inspection of Links Inside Mail to work with the Threat Emulation blade.
On this page, you can configure these settings:
To turn off Inspection of Links Inside Mail:
Note - For each Software Blade (Anti-Bot and Anti-Virus) you must turn off the Links Inside Mail separately.
To turn on Inspection of Links Inside Mail:
To configure IPS settings for a Threat Prevention profile:
The Profiles page opens.
Note - These categories are different from the protections in the Additional Activation page.
There are numerous protections available in IPS. It takes time to become familiar with those that are relevant to your environment. Some are easily configured for basic security and can be safely activated automatically.
In the Threat Prevention profile, you can configure an updates policy for IPS protections that were newly updated. You can do this with the IPS > Updates page in the Profiles navigation tree. Select one of these settings for Newly Updated Protections:
Set activation as staging mode - Newly updated protections remain in staging mode until you change their configuration. The default action for protections in staging mode is Detect. You can change the action manually in the IPS Protections page.
Click Configure to exclude specific protections from staging mode.
Best Practice - In the beginning, allow IPS to activate protections based on the IPS policy. During this time, you can analyze the alerts that IPS generates and how it handles network traffic, while you minimize the impact on the flow of traffic. Then you can manually change the protection settings to suit your needs.
The Pre-R80 Settings are relevant for the pre-R80 gateways only.
Protections Activation
Activate protections of the following types:
If a network has only clients or only servers, you can enhance gateway performance by deactivation of protections. If you select Client Protections and Server Protections, all protections are activated, except for those that are:
Excluded Protections Categories
Do not activate protections of the following categories - The IPS protection categories you select here are not automatically activated. They are excluded from the Threat Prevention policy rule that has this profile in the action of the Rule Base.
You can configure Threat Prevention to exclude files from inspection, such as internal emails and internal file transfers. These settings are based on the interface type (internal or external, as defined in SmartConsole) and traffic direction (incoming or outgoing).
Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:
The gateway window opens and shows the General Properties page.
Perform this procedure for each interface that goes to the DMZ.
You can configure these Anti-Virus settings in the Anti-Virus page:
Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:
To configure the specific file type families:
You can configure the Anti-Virus settings to enable archive scanning. The Anti-Virus engine unpacks archives and applies proactive heuristics. The use of this feature impacts network performance.
Select Enable Archive scanning (impacts performance) and click Configure:
To block viruses and malware in your organization:
The First Time Activation window opens.
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
Here you can configure the Anti-Bot UserCheck Settings:
To block bots in your organization, install this default Threat Policy rule that uses the Optimized profile, or create a new rule.
Protected Scope |
Action |
Track |
Install On |
---|---|---|---|
*Any |
Optimized |
Log Packet Capture |
*Policy Targets |
To block bots in your organization:
The First Time Activation window opens.
You can block bots with the out-of-the-box Threat Prevention policy rule with the default Optimized Profile.
Alternatively, add a new Threat Prevention rule:
A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.
Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?
In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:
Name |
Protected Scope |
Action |
Track |
Install On |
---|---|---|---|---|
Monitor Bot activity |
|
A profile that has these changes relative to the Optimized profile: Go to the General Policy pane > Activation Mode section, and set all Confidence levels to Detect. |
|
|
To monitor all bot activity:
The Profiles page opens.
This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.
The first rule that matches is applied.
Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?
In this example, create this Threat Prevention rule, and install the Threat Prevention policy:
Name |
Protected Scope |
Protection/Site |
Action |
Track |
Install On |
---|---|---|---|---|---|
Monitor Bot Activity |
|
|
A profile based on the Optimized profile. Edit this profile > go to the General Policy pane> in the Activation Mode section, set every Confidence to Prevent. |
Log |
Policy Targets |
Exclude |
Server_1 |
|
Detect |
Log |
Server_1 |
To add an exception to a rule:
Note - To add EICAR files as exceptions, you must add them as Whitelist Files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.
Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this:
The gateway window opens and shows the General Properties page.
Do this procedure for each interface that goes to the DMZ.
If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used.
To configure Threat Emulation settings for a Threat Prevention profile:
The Profiles page opens.
What are the available emulation actions that I can use with a Threat Emulation profile?
Note - To estimate the system requirements and amount of file emulations for a network, go to sk93598.
On the Threat Emulation > General page, you can configure these settings:
UserCheck Settings:
Protected Scope:
Select an interface type and traffic direction option:
Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:
Protocols
Protocols to be emulated:
File Types
Here you can configure the Threat Emulation Action and Emulation Location for each file type scanned by the Threat Emulation blade. Select one of these:
Note - you can find this list of supported file types also in Manage & Settings view > Blades > Threat Prevention > Advanced Settings > Threat Emulation > File Type Support.
To change the emulation action for a file type, click the applicable action in the Action column and select one of these options:
To change the emulation location for a file type, click Emulation Location and select one of these options:
Archives
Block archives containing these prohibited file types. Click Configure to select the prohibited file types. If a prohibited file type is in an archive, the gateway drops the archive.
You can use the Emulation Environment window to configure the emulation location and images that are used for this profile:
Note - In the Remote Emulation Appliances option, for R80.10 gateways with R80.10 Jumbo Hotfix Accumulator and R77.20 gateways, you can select multiple appliances for remote emulation. For older gateways, you can select only one appliance for remote emulation.
These are the options to select the emulation images:
Best Practice - For configurations that use Hold mode for SMTP traffic, we recommend that you use an MTA deployment.
If you use the Prevent action, a file that Threat Emulation already identified as malware is blocked. Users cannot get the file even in Background mode.
Prepare the network and Emulation appliance for a Local or Remote deployment in the internal network.
To configure Threat Extraction settings for a Threat Prevention profile:
The Profiles properties window opens.
Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613.
On the Threat Extraction > General page, you can configure these settings:
UserCheck Settings
Note - This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.
Select a message to show the user when the user receives the clean file. In this message, the user selects if they want to download the original file or not. To select the success or cancelation messages of the file download, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings > UserCheck. You can create or edit UserCheck messages on the UserCheck page. You can customize a UserCheck message only for SMTP files. For HTTP files (supported on R80.30 gateways and above), the message which the user gets is not customizable in SmartConsole. You can only customize it on the gateway.
Send Original Mail is added to the message body.
Protocol
To enable web support on other ports, create a new TCP service. In General > Protocol select HTTP, and in Match By, select Customize and enter the required port number.
Notes:
For information on storage of the original files, see Storage of Original Files.
Extraction Method
Click Configure to select which malicious parts the blade extracts. For example, macros, JavaScript, images and so on.
Extraction Settings
Set a low, medium or high confidence level. This option is only configurable when the Threat Emulation blade is activated in the General Properties pane of the profile.
File Types
Note - you can find this list of supported file types also in Manage & Settings view > Blades > Threat Prevention > Advanced Settings > Threat Extraction > Configure File Type Support.
Here you can configure a different extraction method for certain file types. Click Configure to see the list of enabled file types and their extraction methods. To change the extraction method for a file type, right-click the file type and select: bypass, clean or convert to pdf. You can select a different extraction method for Mail and Web.
Notes:
For e-mail attachments:
Protected Scope
Threat Extraction protects incoming files from external interfaces and DMZ. The user cannot configure the protected scope.
On the Threat Extraction > Advanced page, you can configure these settings:
Block or Allow corrupted files attached to the email or downloaded from the web. Corrupted files are files the blade fails to process, possibly because the format is incorrect. Despite the incorrect format, the related application (Word, Adobe Reader) can sometimes show the content.
Block removes the corrupted file and sends the recipient a text which describes how the file contained potentially malicious content. You can block corrupt files if they are malicious according to Threat Emulation. If the action is block, you can deny access to the original corrupted file.
Allow lets the recipient receive the corrupted file.
Block or Allow encrypted files attached to the email or downloaded from the web.
Block removes the encrypted file and sends the recipient a text file which describes how the file contained potentially malicious content.
If the action is block, you can also deny access to the original encrypted file.
Allow lets the recipient receive the encrypted file.
To configure the Threat Extraction blade on the gateway:
The Threat Extraction First Time Activation Wizard opens.
If you do not want Threat Extraction to scan email attachments, click Skip this configuration now.
In addition to configuring Threat Extraction on the gateway, enable Threat Extraction to scan one or all of these types of documents:
The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateways external IP address as the DNS trap address but:
You can also add internal DNS servers to better identify the origin of malicious DNS requests.
Using the Malware DNS Trap you can detect compromised clients by checking logs with connection attempts to the false IP address.
At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific gateway.
To set the Malware DNS Trap parameters for the profile:
The Profiles page opens.
To set the Malware DNS Trap parameters for a gateway:
The gateway window opens and shows the General Properties page.
If necessary, you can add an exception directly to a rule. An exception sets a different Action to an object in the Protected Scope from the Action specified Threat Prevention rule. In general, exceptions are designed to give you the option to reduce the level of enforcement of a specific protection and not to increase it. For example: The Research and Development (R&D) network protections are included in a profile with the Prevent action. You can define an exception which sets the specific R&D network to Detect. For some Anti-Bot and IPS signatures only, you can define exceptions which are stricter than the profile action.
You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule Base. It is identified in the No. column with the rule's number plus the letter E and a digit that represents the exception number. For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.
You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.
You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the No. column.
To add an exception to a rule:
Note - You cannot set an exception rule to an inactive protection or an inactive blade.
You can also configure an exception for an entire blade.
To configure a blade exception: