Configuring Threat Emulation Settings on the Security Profile

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly.

To verify DMZ interface configuration

Step	Instructions
1	From the left navigation panel, click Gateways & Servers.
2	Double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.
3	From the left navigation tree, click Network Management.
4	Double-click a DMZ interface.
5	In the General page of the Interface window, click Modify.
6	In the Topology Settings window, click Override and select Interface leads to DMZ.
7	Click OK.

Do this procedure for each interface that goes to the DMZ.

If there is a conflict between the Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. settings in the profile and for the Security Gateway, the profile settings are used.

To configure Threat Emulation settings for a Threat Prevention profile

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Threat Prevention.
2	From the Custom Policy Tools section, click Profiles. The Profiles page opens.
3	Right-click the profile, and click Edit.
4	From the navigation tree, go to Threat Emulation and configure these settings: Threat Emulation General Settings Threat Emulation Environment Threat Emulation Advanced Settings
5	Click OK and close the Threat Prevention profile window.
6	Install the Threat Prevention policy.

Important - To emulate a file, the Security Gateway must receive the full file. Threat Emulation does not work on a file if only a part of it was downloaded.

Threat Emulation General Settings

On the Threat Emulation > General page, you can configure these settings:

UserCheck Settings

Prevent - Select the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. message that opens for a Prevent action
Ask - Select the UserCheck message that opens for an Ask action

Protected Scope

Select an interface type and traffic direction option

Inspect incoming files from the following interfaces:

Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:
- External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
  
  Example: A company's firewall is configured to inspect files received from external sources, such as emails or cloud services, while not interfering with internal file transfers.
- External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
  
  Example: An organization's perimeter security system inspects files entering through both external connections and the Demilitarized Zone (DMZ), ensuring a thorough evaluation of potential threats.
- All - Inspect all incoming files from all interface types.
  
  Example: A highly secure environment demands inspection of files from all possible interfaces, including both external and internal sources, to maintain a comprehensive defense against any potential malicious activity.
Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.

Example: In a scenario where bidirectional traffic monitoring is crucial, a network security system is configured to inspect both incoming and outgoing files, ensuring end-to-end protection against potential threats.

Protocols

File Types

Here you can configure the Threat Emulation Action and Emulation Location for each file type scanned by the Threat Emulation Software Blade.

Select one of these file types

Process all enabled file types - This option is selected by default. Click the blue link to see the list of supported file types. Out of the supported file types, select the files to be scanned by the Threat Emulation Software Blade.

Note - You can find this list of supported file types also in Manage & Settings view > Blades > Threat Prevention > Advanced Settings > Threat Emulation > File Type Support.

Process specific file type families - Click Configure to change the action or emulation location for the scanned file types.

To change the emulation action for a file type, click the applicable action in the Action column and select one of these options:

Inspect - The Threat Emulation Software Blade scans these files.
Bypass - Files of this type are considered safe and the Software Blade does not do emulation for them.

To change the emulation location for a file type, click Emulation Location and select one of these options:

According to gateway - The Emulation Location is according to the settings defined in the Gateway Properties window of each gateway.
Locally - Emulation for these file types is done on the gateway. This option is not supported for R80.40.
ThreatCloud - These file types are sent to the ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. for emulation.

Note - If the emulation location selected in the profile is different than the emulation location configured on the Security Gateway, then the profile settings override.

Threat Emulation Environment

You can use the Emulation Environment window to configure the emulation location and images that are used for this profile:

The Analysis Locations section lets you select: where the emulation is done.
- To use the Security Gateway settings for the location of the virtual environment, click According to the gateway.
- To configure the profile to use a different location of the virtual environment, click Specify and select the applicable option.
The Environments section lets you select the operating system images on which the emulation is run. If the images defined in the profile and the Security Gateway or Threat Emulation appliance are different, the profile settings are used.

These are the options to select the emulation images:
- To use the emulation environments recommended by Check Point security analysts, click Use Check Point recommended emulation environments.
- To select other images for emulation, that are closest to the operating systems for the computers in your organization, click Use the following emulation environments.

Threat Emulation Advanced Settings

Emulation Connection Handling Mode lets you configure Threat Emulation to allow or block a connection while it finishes the analysis of a file. You can also specify a different mode for SMTP and HTTP services.

Emulation Connection Handling Mode lets you configure Threat Emulation to allow or block a connection while it finishes the analysis of a file. The handling mode you select affects the form of the file that the user receives and the timing at which the user receives it. This section explains the difference between the Threat Emulation handling modes and the interaction between the Threat Emulation and Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. components with regards to the handling mode selected.

The first part of the section explains what happens when Threat Emulation works with Threat Extraction disabled and the second part explains how the Threat Emulation and the Threat Extraction components work together. You can also specify a different mode for SMTP and HTTP services. To configure the settings for the Threat Emulation handling mode, go to Security Policies > Threat Prevention > Policy > right-click a profile > Threat Emulation > Advanced.

Selecting an Emulation connection handling mode when Threat Extraction is disabled

If Threat Emulation reaches a verdict regarding a file within 3 seconds or less:

If the file is benign, the gateway sends the original file to the user.
If the file is malicious, the gateway blocks the page.

If Threat Emulation takes longer than 3 seconds to check the file:

In Rapid Delivery mode - The gateway sends the original file to the user (even if it turns out eventually that the file is malicious).
In Maximum Prevention mode - The user waits for Threat Emulation to complete. If the file is benign, the gateway sends the original file to the user. If the file is malicious, the gateway presents a Block page and the user does not get access to the file. Maximum Prevention mode gives you more security, but may cause time delays in downloading files.

In Custom mode- You can set a different handling mode for SMTP and HTTP. For example: you can set HTTP to Rapid Delivery and SMTP to Maximum Prevention.

Selecting an Emulation connection handling mode when Threat Extraction is enabled

With Threat Extraction, the gateway removes potentially malicious parts from downloaded/attached files and delivers them instantly to the user. Threat Emulation continues to run in the background, and examine the original files. Threat Extraction supports certain file types, primarily Microsoft Office files and PDFs, but not all file types, for example, executables.

If Threat Emulation rules that the file is benign, the user gets access to the original file, using the link in the file itself or the email body banner, , without help desk overhead.
If Threat Emulation rules that the file is malicious, the original file is blocked and the user only gets access to the cleaned file.

This way administrators can ensure maximum security, while not harming end-user productivity.

This behavior would be the same for both the Rapid Delivery and Maximum Prevention modes. Nevertheless, if you select Maximum Prevention, In CLI, you can configure an even more restrictive mode, such that:

The user always waits for Threat Emulation to complete, even if the file is supported by Threat Extraction.
The user receives the file only if the file is deemed benign, and if the file is supported by Threat Extraction, it will also be cleaned. To configure this mode, see sk146593.

When Threat Extraction is enabled, but the file is not supported by Threat Extraction, the user is not able to receive a cleaned version of the file. The behavior therefore, will be the same as when Threat Extraction is disabled. In Rapid Delivery mode, the user gets the original file and in Maximum Prevention mode, the user waits for the Threat Emulation verdict.

Best Practice:

If Threat Extraction is enabled, use Maximum Prevention as your handling mode (without the extra preventive CLI configuration). Because most files that users work with on a daily basis are documents, that are supported by Threat Extraction, the time penalty for waiting for the non-supported files is manageable. Users will be able to receive most files in a timely manner. If Threat Extraction is disabled, select the handling mode based on balancing your security needs versus time constraints.

If you use the Prevent action, a file that Threat Emulation already identified as malware is blocked. Users cannot get the file even in Rapid Delivery mode.

Static Analysis optimizes file analysis by doing an initial analysis on files. If the analysis finds that the file is simple and cannot contain malicious code, the file is sent to the destination without additional emulation. Static analysis significantly reduces the number of files that are sent for emulation. If you disable it, you increase the percentage of files that are sent for full emulation. The Security Gateways do static analysis by default, and you have the option to disable it.
Logging lets you configure the system to generate logs for each file after emulation is complete. If Log every file scanned is enabled, then every file that is selected in Threat Emulation > General > File Types is logged, even if no operation is performed on it. If Log every file scanned is disabled, malicious files are still logged.

Use Case

Configuring Threat Emulation location

Corp X is located in ThreatLand. The ThreatLand law does not allow you to send sensitive documents to cloud services which are outside of the country. The system administrator of Corp X has to configure the location for the Threat Emulation analysis, so that it is not done outside of the country.

To configure the Threat Emulation analysis location

Step	Instructions
1	In the Gateways & Servers view, double-click a Security Gateway, go to Threat Emulation > Analysis Location.
2	Select: Locally (not supported for R80.40 OR Remote Emulation Appliances. Click the + sign to select the applicable Security Gateways from the drop-down list.
3	Click OK.

Step

Instructions

In the Gateways & Servers view, double-click a Security Gateway, go to Threat Emulation > Analysis Location.

Select:

Locally (not supported for R80.40

OR
Remote Emulation Appliances. Click the + sign to select the applicable Security Gateways from the drop-down list.

Click OK.

Note - You can also configure Threat Emulation analysis location in the profile settings. Go to Security Policies > Threat Prevention > Profiles > double-click a profile > Threat Emulation > Emulation Environment > Analysis Location > Specify.