Print Download PDF Send Feedback

Previous

Next

Creating a Threat Prevention Policy

In This Section:

Threat Prevention Components

ThreatSpect Engine and ThreatCloud Repository

Learning about Malware

IPS

Anti-Bot

Anti-Virus

Anti-Bot and Anti-Virus Rule Base

Threat Emulation

Creating a Threat Prevention Policy

Creating Rules

Installing the Threat Prevention Policy

Updating the IPS and Malware Databases

Anti-Spam

Threat Prevention Components

To challenge today's malware landscape, Check Point's comprehensive Threat Prevention solution offers a multi-layered, pre- and post-infection defense approach and a consolidated platform that enables enterprise security to detect and block modern malware. These Threat Prevention Software Blades are available:

Each Software Blade gives unique network protections. When combined, they supply a strong Threat Prevention solution. Data from malicious attacks are shared between the Threat Prevention Software Blades and help to keep your network safe. For example, the signatures from threats that Threat Emulation identifies are added to the Anti-Virus database.

ThreatSpect Engine and ThreatCloud Repository

The ThreatSpect engine is a unique multi-tiered engine that analyzes network traffic and correlates information across multiple layers to find bots and other malware. It combines information on remote operators, unique botnet traffic patterns and behavior to identify thousands of different botnet families and outbreak types.

The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.

The Security Gateway gets automatic binary signature and reputation updates from the ThreatCloud repository. It can query the cloud for new, unclassified IP/URL/DNS resources that it finds.

The layers of the ThreatSpect engine:

Learning about Malware

The Threat Wiki is an easy-to-use tool that lets you search and filter the ThreatCloud repository to find more information about identified malware. You can filter by category, tag, malware family, and search for malware.

To show the Threat Wiki:

  1. In SmartConsole, go to the Security Policies page, and select Threat Prevention.
  2. In the Threat Tools section, click Threat Wiki.

    The Threat Wiki web page opens.

IPS

Overview of IPS

The Check Point IPS Software Blade analyzes traffic for possible risks, to enhance the network security of your organization. The IPS detection engine has multiple defense layers, detects and prevents against known threats, and often protects against future ones.

For example IPS protects against drive-by downloads, where a user can go to a legitimate web site and unknowingly download malware. The malware can exploit a browser vulnerability that lets it create a special HTTP response that sends the malware to the client. The firewall allows the HTTP traffic from the web site and the computer is at risk for this malware. IPS protects the computer, because it identifies and then blocks the drive-by download connection.

Enabling the IPS Software Blade

To enable the IPS Software Blade on a Security Gateway:

  1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

    The General Properties window opens.

  2. In the General Properties > Network Security tab, select IPS.
  3. Follow the steps in the wizard that opens.
  4. Click OK.
  5. Click OK.
  6. Install the Access Control policy.

Choosing the Level of Protection

Check Point IPS provides instant protection based on pre-defined Threat Prevention Profiles. You can also configure a custom Threat Prevention profile to give the exact level of protection for your organization.

When you install an Access Control policy on the Security Gateways, they immediately begin to enforce IPS protection on network traffic.

Default IPS Protection Profiles

SmartConsole includes these default Threat Prevention profiles:

Using the Optimized Profile

The Optimized profile is activated by default, because it gives excellent security with good gateway performance. These are the goals of the Optimized profile:

Newly downloaded IPS protections are set to Detect the intrusion attempts. They are activated according to the IPS Updates Policy.

Customizing IPS Protections for Your Network

For additional granularity, in the Additional Activation section of the Profile configuration window, you can select IPS protections to activate and to deactivate. The IPS protections are arranged into categories such as Product, Vendor, Threat Year, and others, for the ease of search. The gateways enforce activated protections, and do not enforce deactivated protections, regardless of the general profile protection settings.

Configuring IPS Profile Settings

To configure the IPS settings for a Threat Prevention profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.
  4. From the navigation tree, click IPS > Additional Activation.
  5. Configure the customized protections for the profile. See Additional Activation Fields.
  6. From the navigation tree, click IPS > Updates.
  7. Configure the settings for newly downloaded IPS protections.
  8. If you are importing IPS profiles from a pre-R80 deployment:
    1. From the navigation tree, click IPS > Pre-R80 Settings.
    2. Activate the applicable Client and Server protections.
    3. Configure the IPS protection categories to exclude from this profile.

    Note - These categories are different from the protections in the Additional Activation page.

  9. Click OK.
  10. Install the Access Control policy.

Additional Activation Fields

Changing the Assigned Profile

To assign an IPS profile:

  1. In SmartConsole, select Security Policies > Threat Prevention > Policy > IPS.
  2. In the rule, right-click the Action cell.
  3. Select the Threat Prevention profile with the applicable IPS settings.
  4. Install the Access Control policy.

Browsing IPS Protections

The IPS Protections summary lets you quickly browse all IPS protections and their settings. The IPS Protections window lets you use the specified categories and tags to easily filter for IPS protections. For example, the Vendor category contains the Oracle tag with the IPS protections for Oracle products. You can also:

Filtering IPS Protections

To show the IPS protections:

  1. In SmartConsole, go to the Security Policies page and select Threat Prevention.
  2. In the Threat Tools section, click IPS Protections.

To filter the protections:

  1. From the IPS Protections window, click the Filter icon.

    The Filters pane opens and shows IPS protections categories.

  2. To add more categories:
    1. Click the Add filter button.

      A window opens and shows the IPS protections categories.

    2. Click the category.

      The category is added to the Filters pane.

  3. Click one or more filters to apply to the IPS protections.
  4. To show all suggested filters in a category, click View All.

IPS Protections Columns

These are some of the default columns in the IPS protections summary table.

Column

Description

Protection

Name of the protection.

Industry Reference

International CVE or CVE candidate name for attack.

Performance Impact

How this protection affects the performance of a Security Gateway.

Severity

Probable severity of a successful attack on your environment.

Confidence Level

How confident IPS is in recognizing the attack.

profile_name

The Activation setting for the protection for each IPS profile.

Activating Protections for a Profile

To manually activate a protection for a profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click IPS Protections.

    The IPS Protections page opens.

  3. For the specified protection, find the column for the profile.

    Note - Only the IPS profiles selected in the policy are shown by default.

  4. Right-click the cell for the protection and profile and select Edit.

    The Protection Details window opens.

  5. From the Main Action section, click Override with.
  6. Select the action to apply.
  7. Click OK.
  8. Install the Access Control policy.

Removing Activation Overrides

You can remove the manually activated IPS protections and restore them to the settings in the Threat Prevention profile.

To remove IPS protection overrides:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click IPS Protections.

    The IPS Protections page opens.

  3. Click the cell for the profile column.

    Press CTRL to select more than one protection.

  4. Right-click a highlighted cell and select Restore to profile settings.

    A warning message opens.

  5. Click Yes.
  6. Install the Access Control policy.

Adding Network Exceptions

You can configure exceptions for a protection with the Prevent action. IPS does not identify the traffic. We recommend that you use IPS exceptions to allow traffic that is legitimate for some computers or services can match the protection criteria for malware. You can also create an exception for a server that does not comply with RFC standards.

Adding an IPS Exception

To add a new exception:

  1. In SmartConsole, go to the Security Policies page and select Threat Prevention.
  2. In the Threat Tools section of the Threat Prevention Policy, click Profiles.
  3. Right-click the profile and select Edit.

    The Profile window opens.

  4. From the navigation tree, select IPS > Pre R80 Settings.
  5. In the Excluded Protections Categories section, make sure that Do not activate protections of the following categories is selected.
  6. Click the plus sign and select a protection category.
  7. Repeat the previous step for each protection category.
  8. Click OK.
  9. Install the Access Control policy.

Anti-Bot

Protecting Networks from Bots

A bot is malicious software that can infect your computer. It is possible to infect a computer when you open attachments that exploit a vulnerability, or go to a web site that results in a malicious download.

When a bot infects a computer, it:

One bot can often create multiple threats. Bots are frequently used as part of Advanced Persistent Threats (APTs) where cyber criminals try to damage individuals or organizations.

The Anti-Bot Software Blade detects and prevents these bot and botnet threats. A botnet is a collection of compromised and infected computers.

Identifying Bot Infected Computers

The Anti-Bot Software Blade uses these procedures to identify bot infected computers:

Enabling the Anti-Bot Software Blade

To enable the Anti-Bot Software Blade on a Security Gateway:

  1. In the Gateways & Servers view, double-click the gateway object.

    The General Properties window of the gateway opens.

  2. From the Network Security tab, select Anti-Bot.

    The Anti-Bot and Anti-Virus First Time Activation window opens.

  3. Select an activation mode option:
    • According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Bot Software Blade and use the Anti-Bot settings of the Threat Prevention profile in the Threat Prevention policy.
    • Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
  4. Click OK.
  5. Install Policy.

Anti-Virus

Protecting Networks from Viruses

The Anti-Virus Software Blade inspects connections to the Internet and scans file transfers and downloads to the internal network to find and prevent malware attacks. It also gives pre-infection protection from external malware and malicious servers.

Examining Anti-Bot and Anti-Virus Protections

The Protections browser shows information about the Anti-Bot and Anti-Virus protections.

To show the Protections browser:

  1. In SmartConsole, go to the Security Policies page, and select Threat Prevention.
  2. In the Related Tools section, click Protections.

    A detailed summary of the protections is shown in the table.

The table of protections has these fields:

Column

Description

Protection

Name of the protection type.

Blade

The Software Blade, by which the protection is used - Anti-Bot or Anti-Virus.

Engine

Layer of the ThreatSpect engine that is protecting the network.

Known Today

Number of known protections.

Last Update

The date when the most recent update.

When you select a protection in the table, the summary and the activation information are shown in the bottom part of the screen. The Summary tab is shown by default. To see the activation information, click the Activations tab.

The table in the Activations tab view shows information in the table with these fields:

Column

Description

Profile

The profile name.

Action

The action that is configured in the profile for the selected protection:

  • Ask - Asks user to select an action
  • Prevent - Blocks traffic that matches the protection
  • Detect - Allows all traffic and logs traffic that matches the protection
  • Inactive - Disables the protection

Protections can have more than one action. The Action column shows the percentage of protections set to each action.

Anti-Bot and Anti-Virus Rule Base

There is one Rule Base for Anti-Bot and Anti-Virus. The Anti-Bot and Anti-Virus rules use the Malware database and network objects. Security Gateways that have Identity Awareness enabled can also use Access Role objects as the Protected Scope in a rule. The Access Role objects let you easily make rules for individuals or different groups of users.

The first Anti-Bot or Anti-Virus rule that matches the traffic is applied. There are no implied rules in this Rule Base, all traffic is allowed unless it is explicitly blocked. A rule that is set to the Prevent action, blocks activity and communication for that malware.

When necessary, you can add an exception directly to a rule. The object in the Protected Scope, can have a different Action from the specified Anti-Bot and Anti-Virus rule. Here are some examples of exception rules:

Managing the Anti-Bot and Anti-Virus Rule Base

These are the fields that manage the rules for the Anti-Bot and Anti-Virus threat prevention policy.

Field

Description

No.

Rule number in the Rule Base. An exception rule contains the letter E and a digit that represents the exception number. For example, E-2.2 is the second exception for the second rule.

Name

Name that the system administrator gives this rule.

Protected Scope

Objects that are protected against bots and viruses. Traffic to and from these objects is inspected even if the objects did not open the connection.

Protection

For rules, the value for this field is always N/A. The protections are set according the profile in the Action field.

For exceptions, set this field to one or more specified protections.

Action

For rules, the value for this field is an Anti-Bot and Anti-Virus profile.

For exceptions, set this field to Prevent or Detect.

Track

Tracking and logging action that is done when traffic matches the rule.

Install On

Network objects that get this rule. The default setting is All and installs the policy on all Security Gateways that have Anti-Bot and Anti-Virus enabled.

Sample Anti-Bot and Anti-Virus Rule Base

This table shows a sample Anti-Bot and Anti-Virus Rule Base. (The Install On column is not shown and is set to All.)

No.

Name

Protected Scope

Protection

Action

Track

 
1
 
High Security
 
Finance_
server
Corporate_
internal
Corporate_
finance
 
- n/a
 
High_Security_
Profile
 
Log
Packet Capture
 
2
 
Malware Rule
 
Any
 
- n/a
 
Optimized
Profile
 
Log
 
E-2.1
 
R&D Server
 
Server_1
 
Backdoor.Win32.Shark.A
 
Detect
 
Log
 
E-2.2
 
Users_3
 
Users_3
 
Adware.Win32.CashFiesta.A
RogueSoftware.Win32.
Ackantta.A
Trojan.Win32.Agent.BA
 
Detect
 
Log

Rule number 1, High Security - Traffic for the Finance server and two corporate networks are inspected for bots and viruses according to the settings in the High_Security profile. The traffic is logged and the packets are captured for analysis in the Logs & Monitor > Logs view.

Rule number 2, Malware Rule - All traffic in the network is inspected for bots and viruses according to the settings in the Optimized profile.

Exception 2.1 to rule 2, R&D Server - A global exception rule for the Server_1 object, that only detects the Backdoor.Win32.Shark.A protection.

Exception 2.2 to rule 2, Users_3 - An exception rule for the Users_3 Access Role, that sets some protections to Detect instead of Prevent.

Threat Emulation

The Need for Threat Emulation

Cyber-threats continue to multiply and now it is easier than ever for criminals to create new malware that can easily bypass existing protections. On a daily basis, these criminals can change the malware signature and make it virtually impossible for signature based products to protect networks against infection. Threat Emulation can protect your network against new malware, zero-day vulnerabilities and targeted attacks.

Threat Emulation gives networks the necessary protection against unknown threats in files that are downloaded from the Internet or attached to emails. When emulation is done on a file:

ThreatCloud Emulation

You can securely send files to the Check Point ThreatCloud for emulation. The ThreatCloud is always up-to-date with the latest Threat Emulation releases.

Sample ThreatCloud Emulation Workflow

  1. The Security Gateway gets a file from the Internet or an external network.
  2. The Security Gateway compares the cryptographic hash of the file with the database.
    • If the file is already in the database, no additional emulation is necessary
    • If the file is not in the database, it is necessary to run full emulation on the file
  3. The file is sent over an SSL connection to the ThreatCloud.
  4. The virtual computers in the ThreatCloud run emulation on the file.
  5. The emulation results are sent securely to the Security Gateway for the applicable action.

Sample ThreatCloud Deployment

Item

Description

1

Internet and external networks

2

Perimeter Security Gateway

3

Computers and servers in the internal network

4

Check Point ThreatCloud servers

Using Cloud Emulation

Files are sent to the Check Point ThreatCloud over a secure SSL connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.

Best Practice - For ThreatCloud emulation, it is necessary that the Security Gateway connects to the Internet. Make sure that the DNS and proxy settings are configured correctly in Global Properties.

To enable ThreatCloud emulation:

  1. In the Gateways & Servers view, double-click the Security Gateway object.

    The Gateway Properties window opens.

  2. From the Network Security tab, select Threat Emulation.

    The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

  3. Select ThreatCloud Emulation Service.
  4. Click Next.

    The Summary page opens.

  5. Click Finish to enable Threat Emulation and close the First Time Configuration Wizard.
  6. Click OK.

    The Gateway Properties window closes.

  7. Install Policy.

Creating a Threat Prevention Policy

The Threat Prevention profile applies to these Software Blades:

Note - If you make changes to IPS and one of the other Threat Prevention Software Blades, you must install both the Access Control and Threat Prevention policy.

Overview of Creating a Threat Prevention Policy

After you enable the IPS and Threat Prevention Software Blades on the Security Gateways, configure the Threat Prevention policy.

This is the high-level workflow create and deploy a Threat Prevention policy:

  1. Update the IPS database and Malware database with the latest protections.
  2. Configure an IPS and Threat Prevention Rule Base with the Threat Prevention profile as the Action of the rule.
  3. Install the Access Control and Threat Prevention policy.

Optimized Protection Profile Settings

Check Point defined the Optimized profile to give excellent security with good performance for the gateway.

These are the goals of the Optimized profile, and the settings that achieve those goals:

Goal

Parameter

Setting

Apply settings to the IPS and Threat Prevention Software Blades

Blades Activation

Activate the profile for IPS, Anti-Bot, Anti-Virus, and Threat Emulation.

Do not have a critical effect on performance

Performance impact

Activate protections that have a Medium or lower effect on performance.

Protect against important threats

Severity

Protect against threats with a severity of Medium or above.

Reduces false-positives

Confidence

Set to Prevent the protections with an attack confidence of Medium or High.

Set to Detect the protections with a confidence of Low.

Newly downloaded IPS protections are set to Detect. They are activated according to the IPS Newly Updated Protections.

To get quickly up and running with a Threat Prevention policy:

To get quickly up and running with IPS without making changes to the IPS profile, install this Threat Prevention Rule Base with the Optimized profile:

Name

Protected Scope

Action

Track

Install On

Out-of-the-box Threat Prevention policy

Any

Optimized

Log

Policy Targets

IPS and Threat Prevention Policy Use Cases

This section shows some sample IPS and Threat Prevention policies for different scenarios.

Getting up and Running with IPS and Threat Prevention

Scenario: I want to quickly protect my organization against intrusions

IPS Policy

Name

Source

Destination

Services

Action

Install On

Out-of-the-
box IPS policy

Any

Any

Any

Optimized profile with these settings:

  • Activated for Threat Prevention Software Blades: All
  • Performance impact: Medium or lower
  • Severity: Medium or above
  • Confidence (Low\Medium\High): Detect\Prevent\Prevent

One or more Security Gateways with IPS enabled

Note - Install the Access Control and Threat Prevention policies.

Threat Prevention Policy

Name

Protected Scope

Action

Track

Install On

Out-of-the-box Threat Prevention policy

Any

Optimized profile with these settings:

  • Activated for Threat Prevention Software Blades: All
  • Performance impact: Medium or lower
  • Severity: Medium or above
  • Confidence (Low\Medium\High): Detect\Prevent\Prevent

Log

Packet Capture

Policy Targets

This scenario used the Optimized Threat Prevention profile.

Note - The Protection/Site column is used only for protection exceptions.

Monitoring bot activity without blocking traffic

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

Add this rule above the Out-of-the-box Threat Prevention policy to monitor bot activity:

Name

Protected Scope

Action

Track

Install On

Monitor bot activity

Any

A profile, with these changes relative to the Recommended_Profile:

Confidence (Low\Medium\High): Prevent\Prevent\Prevent

Log

Packet Capture

Policy Targets

Blocking bots

Scenario: I want to block bots in my organization. How can I do this?

You can block bots using the out-of-the-box Threat Prevention policy rule, with the Optimized profile:

Name

Protected Scope

Action

Track

Install On

Out-of-the-box Threat Prevention policy

Any

Optimized profile

Log

Packet Capture

Policy Targets

Blocking viruses and malware

Scenario: I want to block viruses and malware in my organization. How can I do this?

You can block viruses using the out-of-the-box Threat Prevention policy rule, with the Optimized profile:

Name

Protected Scope

Action

Track

Install On

Out-of-the-box Threat Prevention policy

Any

Optimized profile

Log

Packet Capture

Policy Targets

Disabling some protections for one server

Scenario: The protection Backdoor.Win32.Agent.AH detects malware on a server (Server_1). How can I disable this protection for this server only?

Add an exception to the specified Anti-Bot rule. This policy monitors bots activity in the organization without blocking traffic, but disables the Backdoor.Win32.Agent.AH protection on Server_1.

Name

Protected Scope

Protection

Action

Track

Install On

Monitor Bot

Any

- N/A

A profile based on the Optimized profile, with these changes:

Confidence (Low\Medium\High): Prevent\Prevent\Prevent

Log

Packet Capture

Policy Targets

Exclude Server_1

Server_1

Backdoor.Win32.
Agent.AH

Detect

Log

Server_1

Threat Prevention Profiles

A Threat Prevention profile determines which protections are activated, and which Software Blades are enabled for the specified rule or policy. The protections that the profile activates depend on the:

A Threat Prevention profile applies to one or more of these Software Blades: IPS, Anti-Bot, Anti-Virus, and Threat Emulation.

Editing Profiles

You can change the settings of the IPS and Threat Prevention profile according to your requirements.

To edit a profile:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. From the Threat Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile and select Edit.

Creating Rules

The Threat Prevention policy determines how the system inspects connections for bots and viruses. The primary component of the policy is the Rule Base. The rules use the Malware database and network objects.

If you enable Identity Awareness on your gateways, you can also use Access Role objects as the scope in a rule. This lets you easily make rules for individuals or different groups of users.

There are no implied rules in the Rule Base. All traffic is allowed unless it is explicitly blocked.

Predefined Rule

When you enable the IPS or one of the Threat Prevention Software Blades, a predefined rule is added to the Rule Base. The rule defines that all traffic for all network objects, regardless of who opened the connection, (the protected scope value equals any) is inspected for all protections according to the recommended profile. By default, logs are generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.

Note - You cannot edit the settings of the predefined rule for the IPS Security Gateway.

The result of this rule (according to the Optimized profile) is that:

Use the Logs & Monitor page to show logs related to IPS and Threat Prevention traffic. Use the data there to better understand the use of these Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page.

You can add more exceptions that prevent or detect specified protections or have different tracking settings.

Creating Anti-Bot Rules

Here are examples of how to create different types of Anti-Bot rules.

Creating an Anti-Bot Policy

Create and manage the policy for the Anti-Bot Software Blade as part of the Threat Prevention Policy.

Blocking Bots

Scenario: I want to block bots in my organization. How can I do this?

In this example you will install this default Threat Policy rule that uses the recommended policy, or create a new rule.

Protected Scope

Action

Track

Install On

Any

Optimized

Log
Packet Capture

Policy Targets

To block bots in your organization:

  1. In SmartConsole, click Gateways & Servers.
  2. Enable the Anti-Bot Software Blade on the Gateways that protect your organization. For each Gateway:
    1. Double-click the Gateway object.
    2. In the Gateway Properties page, select the Anti-Bot Software Blade.

      The First Time Activation window opens.

    3. Select According to the Anti-Bot and Anti-Virus policy
    4. Click OK.
  3. Click Security Policies > Threat Prevention > Policy > Threat Prevention.

    You can block bots using the out-of-the-box Threat Prevention policy rule, with the default Optimized Profile and the previous rule.

    Alternatively, add a new Threat Prevention rule:

    1. Click Add Rule.

      A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

    2. Make a rule that includes these components:
      • Name - Give the rule a name such as Block Bot Activity.
      • Protected Scope - The list of network objects you want to protect. By default, the Any network object is used.
      • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
      • Track - The type of log you want to get when detecting malware on this scope.
      • Install On - Keep it as Policy Targets or choose Gateways to install the rule on.
  4. Install the Threat Prevention policy.

Monitoring Bot Activity

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

In this example, you will create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Action

Track

Install On

Monitor bot activity

Any

A profile that has these changes relative to the Optimized profile:

Confidence (High\Medium\Low): Detect\Detect\Detect

Log

Policy Targets

To monitor all bot activity:

  1. In SmartConsole, select Security Policies > Threat Prevention.
  2. Create a new profile:
    1. From the Threat Tools section, click Profiles.

      The Profiles page opens.

    2. Right-click a profile and select Clone.
    3. Give the profile a name such as Monitoring_Profile.
    4. Edit the profile, and under Activation Mode, configure all confidence level settings to Detect.
    5. Select the Performance Impact - for example, Medium or lower.

    This profile detects protections that are identified as an attack with low, medium or high confidence and have a medium or lower performance impact.

  3. Create a new rule:
    1. Click Threat Prevention > Policy > Threat Prevention.
    2. Add a rule to the Rule Base.

      The first rule that matches is applied.

    3. Make a rule that includes these components:
      • Name - Give the rule a name such as Monitor Bot Activity.
      • Protected Scope - Keep Any so the rule applies to all traffic in the organization.
      • Action - Right-click in this cell and select Monitoring_Profile.
      • Track - Keep Log.
      • Install On - Keep it as Policy Targets or choose Gateways to install the rule on.
  4. Install the Threat Prevention policy.

Disabling a Protection on a Specified Server

Scenario: The protection Backdoor.Win32.Agent.AH detects malware on a server (Server_1). How can I disable this protection for this server only?

In this example, create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Protection/Site

Action

Track

Install On

Monitor Bot Activity

Any

- N/A

Optimized Profile

Log

Policy Targets

Exclude

Server_1

Backdoor.Win32.Agent.AH

Detect

Log

Policy Targets

To add an exception to a rule:

  1. In SmartConsole, click Access Control > Threat Prevention > Policy > Threat Prevention.
  2. Click the rule that contains the scope of Server_1.
  3. Click the Add Exception toolbar button to add the exception under the rule. The first exception matched is applied.
  4. Right-click the rule and select New Exception.
  5. Configure these settings:
    • Name - Give the exception a name such as Exclude.
    • Protected Scope - Change it to Server_1 so that it applies to all detections on the server.
    • Protection/Site - Click + in the cell. From the drop-down menu, click the category and select one or more of the items to exclude.

      Note - To add EICAR files as exceptions, you must add them as Whitelist Files. Adding EICAR files through Exceptions in Policy rules will still get them blocked.

    • Action - Keep it as Detect.
    • Track - Keep it as Log.
    • Install On - Keep it as Policy Targets or choose specified gateways to install the rule on.
  6. Install the Threat Prevention policy.

Creating Anti-Virus Rules

Here are examples of how to create different types of Anti-Virus rules.

You can also use Anti-Virus rules to disable a specified malware protection.

Creating an Anti-Virus Policy

Create and manage the policy for the Anti-Virus Software Blade as part of the Threat Prevention Policy.

Blocking Viruses

To block viruses and malware in your organization:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
  2. In the General Properties page, select the Anti-Virus Software Blade.

    The First Time Activation window opens.

  3. Select According to the Anti-Bot and Anti-Virus policy and click OK.
  4. Close the gateway Properties window and publish the changes.
  5. Click Security Policies > Threat Prevention > Policy > Threat Prevention.
  6. Click Add Rule.

    A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

  7. Make a rule that includes these components:
    • Name - Give the rule a name such as Block Virus Activity.
    • Protected Scope - The list of network objects you want to protect. In this example, the Any network object is used.
    • Action - The Profile that contains the protection settings you want. The default profile is Optimized.
    • Track - The type of log you want to get when detecting malware on this scope. In this example, keep Log and also select Packet Capture to capture the packets of malicious activity. You will then be able to view the actual packets in SmartConsole > Logs & Monitor > Logs.
    • Install On - Keep it as All or choose specified gateways to install the rule on.
  8. Install the Threat Prevention policy.

Installing the Threat Prevention Policy

The Anti-Bot, Anti-Virus and Threat Emulation Software Blades have a dedicated Threat Prevention policy. You can install this policy separately from the policy installation of the Access Control Software Blades. Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

Settings for the IPS Software Blade are installed with the Access Control policy.

You can update the IPS, Anti-Bot, Anti-Virus and Threat Emulation Rule Base to give immediate coverage for new malware threats.

To install the Threat Prevention and Access Control policies:

  1. From the Global toolbar, click Install Policy.

    The Install Policy window opens showing the installation targets (Security Gateways).

  2. Select Access Control and Threat Prevention.
  3. Expand the Install Mode options, and click the applicable settings:
    • Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.

      If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.

    • Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
  4. Click OK.

Updating the IPS and Malware Databases

The IPS protection database and the Malware database automatically download updates at regular intervals. This ensures that you have the latest IPS protections, and the most current data and newly added signatures and URL reputations in your Anti-Bot and Anti-Virus policy.

The Malware database only updates if you have a valid Anti-Bot, Threat Emulation and/or Anti-Virus contract.

By default, updates for Anti-Virus and Anti-Bot run on the Security Gateway every two hours. For IPS and Threat Emulation you must configure an update schedule. You can change the update schedule or choose to manually update the Security Gateway. The updates are stored in a few files on each Security Gateway.

Updating IPS Protections

Check Point constantly develops and improves its protections against the latest threats. You can manually update the database with latest IPS protections.

Note - The Security Gateways with IPS enabled only get the updates after you install the Policy.

For troubleshooting or for performance tuning, you can revert to an earlier IPS protection package.

To manually update the IPS protections:

  1. In SmartConsole, click Security Policies > Threat Prevention.
  2. In the Threat Tools section, click Updates.
  3. In the IPS section, click Update Now.
  4. Install the Access Control policy.

To revert to an earlier protection package:

  1. In the IPS section of the Threat Prevention Updates page, click Switch to version.
  2. In the window that opens, select an IPS Package Version, and click OK.
  3. Install the Access Control policy

Scheduling Updates

You can change the default automatic schedule for when updates are automatically downloaded and installed. If you have Security Gateways in different time zones, they are not synchronized when one updates and the other did not yet update.

To configure Threat Prevention scheduled updates:

  1. In SmartConsole, go to the Security Policies page and select Threat Prevention.
  2. In the Threat Tools section of the Threat Prevention Policy, click Updates.
  3. In the section for the applicable Software Blade, click Schedule Update.

    The Scheduled Update window opens.

  4. Make sure Enable <feature> scheduled update is selected.
  5. Click Configure.
  6. In the window that opens, set the Update at time and the frequency:
    • Daily - Every day
    • Days in week - Select days of the week
    • Days in month - Select dates of the month
  7. Click OK.
  8. Click Close.
  9. Install the policy for the applicable Software Blade:
    • IPS updates, install the Access Control policy (for Pre-R80 gateways)
    • Anti-Bot, Anti-Virus, and Threat Emulation updates, and R80.x IPS gateways, install the Threat Prevention policy

Anti-Spam

Employees waste more and more time to sort through bulk emails commonly known as spam. The amount of resources (disk space, network bandwidth, CPU) devoted to handling spam also increases from year to year. In addition, unwanted emails continue to grow and can be an unexpected security threat to networks. Cyber-criminals can use emails to let viruses and malware into your network. The Anti-Spam and Mail Software Blade gives system administrators an easy and central tool to eliminate most of the spam that reaches their networks.

Enabling Anti-Spam

Use the Overview page in the Anti-Spam & Mail tab of the SmartDashboard to enable Anti-Spam on a Security Gateway.

To enable Anti-Spam:

  1. In SmartConsole, go to Manage & Settings > Blades.
  2. In the Anti-Spam & Mail section, click Configure in SmartDashboard.

    SmartDashboard opens and shows the Overview page in the Anti-Spam & Mail tab.

  3. Click Anti-Spam.

    The Anti-Spam Enforcing Gateways window opens.

  4. Select one or more Security Gateways.
  5. Click OK.

Sample Configuration

Feature

Setting

Description

Content based Anti-Spam

High protection

Identifies spam based on email content

IP Reputation Anti-Spam

High protection

Identifies spam based on IP address database of known spammers

Block List Anti-Spam

Block

Identifies spam based on domains or IP addresses that you define

Mail Anti-Virus

Block

Scans and filters emails for viruses and other malware

Zero hour malware protection

Off

Does not scan the Internet to identify and filter new virus email attacks

The Zero hour malware protection feature is set to Off because enabling the feature has a negative effect on network performance.

15 January 2017 © 2017 Check Point Software Technologies Ltd. All rights reserved.