Configuring Advanced Threat Emulation Settings

Updating Threat Emulation

Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. connects to the ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. to update the engine and the operating system images. The default setting for the Threat Emulation appliance is to automatically update the engine and images.

The default setting is to download the package once a day.

Best Practice - Configure Threat Emulation to download the package when there is low network activity.

Update packages for the Threat Emulation operating system images are usually more than 2GB. The actual size of the update package is related to your configuration.

To enable or disable Automatic Updates for Threat Emulation

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention > Custom Policy.
2	At the bottom section, in the Custom Policy Tools section, click Updates. The Updates page opens.
3	Under Threat Emulation, click Schedule Update.
4	Select or clear these settings: Enable Threat Emulation engine scheduled update Enable Threat Emulation images scheduled update
5	To configure the schedule for Threat Emulation engine or image updates, click Configure.
6	Configure the automatic update settings to update the database To update once a day, select At and enter the time of day To update multiple times a day, select Every and set the time interval To update once or more for each week or month: Select At and enter the time of day. Click Days. Click Days of week or Days of month. Select the applicable days.
7	Click OK, and then install the Threat Prevention policy.

Updating Threat Emulation Images

Update packages for the Threat Emulation operating system images are usually more than several Gigabytes. The actual size of the update package is related to your configuration.

The default setting is to download the package once a week on Sunday. If Sunday is a work day, we recommend that you change the update setting to a non-work day.

To update the operating system image for Threat Emulation on a gateway

Step	Instructions
1	In SmartConsole, select Security Policies > Threat Prevention.
2	From the Custom Policy Tools section, click Updates. The Updates page opens.
3	Under Threat Emulation, click Update Images.
4	Select a gateway. Click OK.
5	Install the Threat Prevention policy.

Fine-Tuning the Threat Emulation Appliance

You can change these advanced settings on the Threat Emulation appliance to fine-tune Threat Emulation for your deployment.

Configuring the Emulation Limits

To prevent too many files that are waiting for emulation, configure these emulation limits settings:

Maximum file size (up to 100,000 KB)
Maximum time that the Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. does emulation
Maximum time that a file waits for emulation in the queue (for Threat Emulation appliance only)

If emulation is not done on a file for one of these reasons, the Fail Mode settings for Threat Prevention define if a file is allowed or blocked, (see Fail Mode).

Select the behavior of the ThreatSpect engine if it is overloaded or fails during inspection. For example, if the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. inspection is terminated in the middle because of an internal failure. By default, in such a situation all traffic is allowed.

Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.

You can configure the maximum amount of time that a file waits for the Threat Emulation Software Blade to do emulation of a file. There is a different setting that configures the maximum amount of time that emails are held in the MTA, (see Configuring the Security Gateway as a Mail Transfer Agent).

If the file is waiting for emulation more than the maximum time:

Threat Emulation Software Blade - The Threat Prevention profile settings define if a file is allowed or blocked
MTA - The MTA settings define if a file is allowed or blocked

To configure the emulation limits

Step	Instructions
1	In the Threat Prevention tab, select Advanced > Engine Settings. The Engine Settings pane opens.
2	From the Threat Emulation Settings section, click Configure settings. The Threat Emulation Settings window opens.
3	Configure the settings for the emulation limits.
4	From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation: None - No action is done Log - The action is logged Alert - An alert is sent to SmartView Monitor
5	Click OK, and then install the policy.

Configuring Emulation Limits

To configure the emulation limits

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Threat Prevention > Advanced Settings. The Threat Emulation Engine Settings window opens.
2	Click Configure settings. The Threat Emulation Settings window opens.
3	Configure the settings for the emulation limits.zzz From when limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation: None - No action is done Log - The action is logged Alert - An alert is sent to SmartView Monitor
4	Click OK, and then install the policy.

Changing the Local Cache

When a Threat Emulation analysis finds that a file is clean, the file hash is saved in a cache. Before Threat Emulation sends a new file to emulation, it compares the new file to the cache. If there is a match, it is not necessary to send it for additional emulation. Threat Emulation uses the cache to help optimize network performance. We recommend that you do not change this setting.

To change the local cache

Step	Instructions
1	In the Threat Prevention tab, select Advanced > Engine Settings. The Engine Settings pane opens.
2	From the Threat Emulation Settings section, click Configure settings. The Threat Emulation Settings window opens.
3	From Number of file hashes to save in local cache, configure the number of file hashes that are stored in the cache.
4	Click OK, and then install the policy.

Changing the Size of the Local Cache

To change the size of the local cache

Step	Instructions
1	In SmartConsole, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings. The Threat Prevention Engine Settings window opens.
2	Click Configure Settings. The Threat Emulation Settings window opens.
3	From Number of file hashes to save in local cache, configure the number of file hashes that are stored in the cache.
4	Click OK, and then install the policy.

Threat Emulation Virtual Interface

The Threat Emulation appliance must have a virtual IP address and netmask to do file emulation. This setting is not used for emulation in the ThreatCloud.

Important - Only change this virtual IP address if it is already used in your network.

To change the IP address of the virtual interface

Step	Instructions
1	In SmartConsole, go to Manage & Settings > Blades > Threat Prevention.
2	Under Threat Prevention, click Advanced Settings.
3	Scroll down and from the Threat Emulation Settings section, click Configure settings. The Threat Emulation Settings window opens.
4	Enter the Network and Mask for the IP address for the virtual interface.
5	Click OK, and then install the policy.