Configuring Mail Settings
General
Options
-
Emulate emails for malicious content (requires Threat Emulation) - When this option and the Threat Emulation
Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. blade are enabled, the Threat Emulation blade scans SMTP traffic. -
Scan emails for viruses (requires Anti-Virus) - When this option and the Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. blade are enabled, the Anti-Virus blade scans SMTP traffic. -
Extract potentially malicious attachments (requires Threat Extraction) - When this option and the Threat Extraction
Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. blade are enabled, the Threat Extraction blade scans SMTP traffic.
Malicious Email Policy on MTA Gateways
In this section you can decide whether to block or allow an email which was found malicious.
If you allow the email, you can select any or all of these options
-
Remove attachments and links - This option is selected by default. You can replace a link or an attachment found malicious with a neutralized version of the links and attachments. The neutralized email version is sent to the recipient with a customizable template.
Click "Configure" to edit the template
Malicious Attachments - Replaced by a neutralized txt file. You can customize the message which the user receives. To add more file-related information to your message, click Insert Field(for example: file name or MD5 hash).
Failed to Scan Attachments - If the scanning of the attachment fails and fail mode is set to fail-close, the attachment is replaced with a txt attachment. If fail mode is set to fail-open, the original attachment is allowed. To add more file-related information to your message, click Insert Field (for example: file name or MD5 hash).
Malicious Links - Replaced by a neutralized link. To add more link-related information to your message, for example, neutralized URL.
-
Add an X-Header to the email - Tag the email found malicious with an X-Header. The X-Header format is: "
X-Check Point-verdict: <verdict >; confidence: <confidence>".Example
"
X-Check Point-verdict: malicious; confidence: high". With this option, you can configure the MTA Next Hop to quarantine all emails with a specific X-Header. -
Add a prefix to the email subject - Adds a prefix to the subject of an email found malicious.
Example
You can add a warning message that the email is malicious. Click Configure to edit the prefix.
-
Add customized text to the email body - This option adds a section at the beginning of the email body, based on a customizable template, with an optional placeholder for the verdicts of the links and attachments found malicious or failed to be scanned. The links are given in their neutralized versions, and attachments are only given by file names. Click Configure to edit the template.
Send a copy to the following list - This option is available both if you allow or block the malicious email. With this option, the original email (with the malicious attachments and links) is attached to a new email, which contains: the verdict list with the neutralized links and attachment file names, and the SMTP envelope information. You can configure the email content on the gateway. You can use this option for research purposes.
Example
The Check Point Incident Response Team needs to inquire the emails received in the organization for improved security and protection.
Use Case
The configuration in the Mail page lets you block or allow malicious emails. However, you do not want to configure a global decision regarding all malicious emails. You prefer to make a decision per each email separately, on a case-by-case basis. For that purpose, you need to create a system in which Threat Emulation allows the emails, but does not send them to the recipient right away. Instead, it puts them in a container where you can check them and then decide whether to block or allow them.
To configure external quarantine for malicious emails
|
Step |
Instructions |
|---|---|
|
1 |
Enable MTA on your gateway (see Configuring the Security Gateway as a Mail Transfer Agent). |
|
2 |
Clone the Profile you wish to configure and rename it. |
|
3 |
In the new profile, go to Mail > General > Malicious Email Policy on MTA Gateways and select Allow the email. |
|
4 |
Clear Remove attachments and links. |
|
5 |
Select Add an X-Header to the email. Note - When you add an X-Header to the email, the rest of the email is kept in the email's original form. The other options: Remove attachments and links, Add a prefix to the email subject and Add customized text to the email body, change the email, and therefore must be cleared. |
|
6 |
Click OK. |
|
7 |
Install Policy. |
In the Next Hop - Configure a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. which quarantines all emails which were marked with an X-Header by the MTA.
You can now see the emails in the Next Hop in their original forms and examine them. After you examine the emails in the Next Hop, you can decide whether to allow or block them.
Exceptions
You can exclude specific email addresses from the Threat Emulation or Threat Extraction protections.
To exclude emails from Threat Emulation
|
Step |
Instructions |
|---|---|
|
1 |
In Emulation Exceptions, click Configure. |
|
2 |
In the Recipients section, click the + button to enter one or more emails. Emails and attachments that are sent to these recipients will not be sent for emulation. |
|
3 |
In the Senders section, click the + button to enter one or more emails. Emails and attachments that are received from these senders will not be sent for emulation. Note - You can use a wildcard character to exclude more than one email address from a domain. |
|
4 |
Click OK. |
Note - If you want to do emulation on outgoing emails, make sure that you set the Protected Scope to Inspect incoming and outgoing files.
To exclude emails from Threat Extraction
|
Step |
Instructions |
|---|---|
|
1 |
In Extraction Exclusion/Inclusion:
|
|
2 |
Click OK. |
Examples
-
A user is an object that can contain an email address with other details.
-
A group is an AD group or an LDAP group of users.
-
A recipient is an email address only.
|
|
Important - In the main SmartConsole |
Signed Email Attachments
Signed emails are not encrypted, but the mail contents are signed to authenticate the sender. If the received email differs from the email that was sent, the recipient gets a warning, and the digital signature is no longer valid.
Clean replaces the original attachment with an attachment cleaned of threats, or converts the attachment to PDF form. Both actions invalidate the digital signature. If the attachment does not include active content, the mail remains unmodified and the digital signature valid.
Allow does not change the email. The digital signature remains valid. Select this option to prevent altering digital signatures.
MIME Nesting
This is an optional configuration. In this section, you can configure the maximum number of MIME nesting levels to be scanned (A nesting level is an email within an email). These settings are the same for Anti-Virus, Threat Emulation and Threat Extraction.
-
Maximum MIME nesting is (levels) - Set the maximum number of levels in the email which the engine scans.
-
When nesting level is exceeded (action on file) - If there are more MIME nested levels than the configured amount, select to Block or Allow the email.