Automatic Threat Analysis Settings

Define the automatic threat analysis settings in the Triggers and Automatic Response Action.

The automatic options are:

• Automatically analyze threats - Analyze incidents based on Check Point's recommended triggers (default).

• Automatically analyze and remediate infections - Analyze incidents based on Check Point's recommended triggers and apply remediation automatically.

• Do not analyze threats - Automatic Forensics analysis is turned off.

You can edit the selections manually to define when these processes occur.

The confidence level is how sure Endpoint Security is that a file is malicious. High confidence means that it is almost certain that a file is malicious. Medium confidence means that it is very likely that a file is malicious.

• Forensics Analysis - When Forensics analysis occurs.

• File Quarantine - When files are quarantined for Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT..

• Machine Quarantine - When machines are quarantined. If a computer is quarantined, the Firewall restricts network access.

• Attack Remediation - When remediation occurs for components that are part of an attack.

To granularly edit which type of events trigger a Forensics response:

1. In a SandBlast Agent Forensics and Remediation rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., right-click the Automatic Threat Analysis Action and select Edit Shared Action.

2. Click Override confidence level per specific event.

You can override the settings of the rule for up to five different events.

The Triggers include:

• Events detected by Endpoint Security components: Anti-Bot, Threat Emulation, Anti-Malware A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers.

• Events detected by Network components: Anti-Bot, Threat Emulation, Anti-Malware, URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.

Configuring Network Blades for Forensics Triggers and Remediation

To make triggers and remediation work for events detected by Network Threat Prevention components, you must configure Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. policy for the Threat Prevention components: Anti-Bot, Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., and Threat Emulation.

Each component must be enabled and have Protection settings of Prevent or Ask, which include UserCheck.

Best practice is to use the Threat Prevention Recommended Profile (default) that includes all required settings.