Configuring Advanced Threat Emulation Settings

Updating Threat Emulation

Threat Emulation connects to the ThreatCloud to update the engine and the operating system images. The default setting for the Threat Emulation appliance is to automatically update the engine and images.

The default setting is to download the package once a day.

Best Practice - Configure Threat Emulation to download the package when there is low network activity.

Update packages for the Threat Emulation operating system images are usually more than 2GB. The actual size of the update package is related to your configuration.

To enable or disable Automatic Updates for Threat Emulation:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Updates.

   The Updates page opens.

3. Under Threat Emulation, click Schedule Update.
4. Select or clear these settings:
   • Enable Threat Emulation engine scheduled update
   • Enable Threat Emulation images scheduled update
5. Click Configure to configure the schedule for Threat Emulation engine or image updates.
6. Configure the automatic update settings to update the database:
   • To update once a day, select At and enter the time of day
   • To update multiple times a day, select Every and set the time interval
   • To update once or more for each week or month:
   1. Select At and enter the time of day.
   2. Click Days.
   3. Click Days of week or Days of month.
   4. Select the applicable days.
7. Click OK and then install the Threat Prevention policy.

Updating Threat Emulation Images

Update packages for the Threat Emulation operating system images are usually more than several Gigabytes. The actual size of the update package is related to your configuration.

The default setting is to download the package once a week on Sunday. If Sunday is a work day, we recommend that you change the update setting to a non-work day.

To update the operating system image for Threat Emulation on a gateway:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Updates.

   The Updates page opens.

3. Under Threat Emulation, click Update Images.
4. Select a gateway and click OK.
5. Install the Threat Prevention policy.

Fine-Tuning the Emulation Appliance

You can change these advanced settings on the Emulation appliance to fine-tune Threat Emulation for your deployment.

Configuring the Emulation Limits

To prevent too many files that are waiting for emulation, configure these emulation limits settings:

• Maximum file size (up to 100,000 KB)
• Maximum time that the Software Blade does emulation
• Maximum time that a file waits for emulation in the queue (for Emulation appliance only)

If emulation is not done on a file for one of these reasons, the Fail Mode settings for Threat Prevention define if a file is allowed or blocked.

You can configure the maximum amount of time that a file waits for the Threat Emulation Software Blade to do emulation of a file. There is a different setting that configures the maximum amount of time that emails are held in the MTA.

If the file is waiting for emulation more than the maximum time:

• Threat Emulation Software Blade - The Threat Prevention profile settings define if a file is allowed or blocked
• MTA - The MTA settings define if a file is allowed or blocked

To configure the emulation limits:

1. In the Threat Prevention tab, select Advanced > Engine Settings.

   The Engine Settings pane opens.

2. From the Threat Emulation Settings section, click Configure settings.

   The Threat Emulation Settings window opens.

3. Configure the settings for the emulation limits.
4. From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation:
   • None - No action is done
   • Log - The action is logged
   • Alert - An alert is sent to SmartView Monitor
5. Click OK and then install the policy.

Configuring Emulation Limits

1. In SmartConsole, select Manage & Settings > Blades > Threat Prevention > Advanced Settings.

   The Threat Emulation Engine Settings window opens.

2. Click Configure settings.

   The Threat Emulation Settings window opens.

3. Configure the settings for the emulation limits.
   • From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation:
   • None - No action is done
   • Log - The action is logged
   • Alert - An alert is sent to SmartView Monitor
4. Click OK and then install the policy.

Changing the Local Cache

When a Threat Emulation analysis finds that a file is clean, the file hash is saved in a cache. Before Threat Emulation sends a new file to emulation, it compares the new file to the cache. If there is a match, it is not necessary to send it for additional emulation. Threat Emulation uses the cache to help optimize network performance. We recommend that you do not change this setting.

To change the size of the local cache:

1. In the Threat Prevention tab, select Advanced > Engine Settings.

   The Engine Settings pane opens.

2. From the Threat Emulation Settings section, click Configure settings.

   The Threat Emulation Settings window opens.

3. From Number of file hashes to save in local cache, configure the number of file hashes that are stored in the cache.
4. Click OK and then install the policy.

Changing the Size of the Local Cache

1. In SmartConsole, select Manage & Settings > Blades > Threat Prevention > Advanced Settings.

   The Threat Prevention Engine Settings window opens.

2. Click Configure Settings.

   The Threat Emulation Settings window opens.

3. From Number of file hashes to save in local cache, configure the number of file hashes that are stored in the cache.
4. Click OK and then install the policy.

Threat Emulation Virtual Interface

The Emulation appliance must have a virtual IP address and netmask to do file emulation. This setting is not used for emulation in the ThreatCloud.

To change the IP address of the virtual interface:

1. In SmartConsole, select Manage & Settings > Blades > Threat Prevention.
2. Under Threat Prevention, click Advanced Settings.
3. Scroll down and from the Threat Emulation Settings section, click Configure settings.

   The Threat Emulation Settings window opens.

4. Enter the Network and Mask for the IP address for the virtual interface.
5. Click OK and then install the policy.