Using the Reputation Service to Allow or Block Applications

The Check Point Reputation Service is an online service that gathers information about applications and classifies them as approved or not approved. The classifications are based on the recommendations of Check Point security experts and the hash value of the signed certificate of the application.

The Endpoint Security client uses the recommendation of the Reputation Service for the application, together with the permission setting for the application in the Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. policy, to decide whether to allow or block the application.

For example, if an application is configured in the Application Control Policy as Unidentified (Allow), and the Reputation Service recommendation for the application is Not Approved, the application is blocked. However, if the administrator explicitly configures the Application Control policy to Allow or Block the application, the policy setting overrides the recommendation of the Reputation Service.

The Endpoint Security client allows or blocks applications according to the following logic:

Reputation Service recommendation for the application

Application Control Policy setting for the application

Decision by the Endpoint Security Client

Approved
  • (Unidentified) Allow
  • (Unidentified) Block
  • Allow
Allow
Approved
  • Block
Block
Not Approved
  • (Unidentified) Allow
  • (Unidentified) Block
  • Block
Block

Not Approved

  • Allow

Allow

Pre-Requisites for Using the Reputation Service

Using the Reputation Service with a Proxy

If your environment includes a proxy server for Internet access, do the configuration steps below to let the Endpoint Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. connect to the Check Point Reputation Service Server through the proxy server. Note that all configuration entries are case-sensitive.

If your organization uses a proxy server for HTTP and HTTPS traffic, you must configure the Endpoint Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to work with the proxy server.

To configure use of a proxy server:

  1. From the Endpoint Security Management Server command line, run: cpstop.

  2. Go to $UEPMDIR/engine/conf and open the local.properties file in a text editor.

  3. Add a line for these properties:

    • The proxy server IP address:

      http.proxy.host=<IP address>

    • The proxy server listening port (typically 8080):

      http.proxy.port=<port>

    • If authentication is enabled on the proxy server, add these lines:

      Do not add these lines if authentication is not required.

      http.proxy.user=<username>

      http.proxy.password=<password>

    Make sure that you delete (or do not insert) the '#' character at the beginning of these lines. If you do not do this, all applications are blocked when trying to access the Internet.

  4. Save $UEPMDIR/engine/conf/local.properties and then close the text editor.

  5. Run: cpstart.

Enabling the Reputation Service

In the Policy tab > Application Control ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., select the action: Enable Reputation Service.