Configuring Anti-Virus Settings

You can configure Threat Prevention to exclude files from inspection, such as internal emails and internal file transfers. These settings are based on the interface type (internal or external, as defined in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.) and traffic direction (incoming or outgoing).

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly. To do this, follow the steps in the table below.

To check DMZ interface configuration

Step	Instructions
1	In SmartConsole, click Gateways & Servers and double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The gateway window opens and shows the General Properties page.
2	From the navigation tree, click Network Management and then double-click a DMZ interface.
3	In the General page of the Interface window, click Modify.
4	In the Topology Settings window, click Override and Interface leads to DMZ.
5	Click OK and close the gateway window. Perform this procedure for each interface that goes to the DMZ.

You can configure these Anti-Virus settings in the Anti-Virus page

Anti-Virus UserCheck Settings:
- Prevent - Select the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. message that opens for a Prevent action.
- Ask - Select the UserCheck message that opens for an Ask action.
Protected Scope:
- Inspect incoming files from:
  
  Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:
  - External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
  - External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
  - All - Inspect all incoming files from all interface types.
- Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
The Protocols that Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. scans:
- Web (HTTP/HTTPS)
- FTP
- SMB
- Mail (SMTP or POP3) - Click Mail to configure the SMTP traffic inspection. This links you to the Mail page of the Profile settings, (see Configuring Mail Settings).
File Types:
- Process file types known to contain malware
  
  To view the list of file types known to contain malware and analyzed by Anti-Virus, see: sk142552
- Process all file types -Select Enable deep inspection scanning, if needed. Remember, it impacts performance.
- Process specific file types families

To configure the specific file type families:

Step	Instructions
1	Click Configure.
2	In the File Types Configuration window, for each file type, select the Anti-Virus action for the file type.
3	Click OK to close the File Types Configuration window.

Archives - You can configure the Anti-Virus profile to enable archive scanning. (see Enabling Archive Scanning).

Enabling Archive Scanning

You can configure the Anti-Virus settings to enable archive scanning. The Anti-Virus engine unpacks archives and applies proactive heuristics. The use of this feature impacts network performance.

Select Enable Archive scanning (impacts performance) and click Configure:

Setting	Description
Stop processing archive after (seconds)	Sets the amount in seconds to stop processing the archive. The default is 30 seconds.
When maximum time is exceeded (action on file)	Sets to block or allow the file when the time for processing the archive is exceeded. The default setting is Allow.

Blocking Viruses

To block viruses and malware in your organization

Step

Instructions

In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

In the General Properties page, select the Anti-Virus Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.
The First Time Activation window opens.

Select According to the Anti-Bot and Anti-Virus policy.

Click OK.

Click OK to close the Security Gateway Properties window.

Publish the SmartConsole session.

Click Security Policies > Threat Prevention > Policy > Threat Prevention.

Click Add Rule.

A new rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is added to the Threat Prevention policy.

The Software Blade applies the first rule that matches the traffic.

Make a rule that includes these columns:

Name

Give the rule a name such as Block Virus Activity.
Protected Scope

The list of network objects you want to protect.

In this example, the Any network object is used.
Action

The Profile that contains the protection settings you want (see Profiles Pane).

The default profile is Optimized.
Track

The type of log you want to get when detecting malware on this scope.

In this example, keep Log and also select Packet Capture to capture the packets of malicious activity.

You will then be able to view the actual packets in SmartConsole > Logs & Monitor > Logs.
Install On

Keep it as All or choose specified Security Gateways, on which to install the rule.

Install the Threat Prevention Policy.

The IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)., Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Virus, Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. Software Blades have a dedicated Threat Prevention policy.You can install this policy separately from the policy installation of the Access Control Software Blades.

Best Practice - Install only the Threat Prevention policy to minimize the performance impact on the Security Gateways.

Additionally Supported Protocols for Anti-Virus

In addition to HTTP, FTP, SMB and SMTP protocols, which you can select in the SmartConsole GUI, the Anti-Virus Software Blade also supports the IMAP and POP3 protocols.

Procedure to activate Anti-Virus inspection for IMAP and POP3 protocols

Step	Instructions
1	Connect to the command line on your Security Gateway.
2	Log in to the Expert mode.
3	Back up the `$FWDIR/conf/malware_config` file: `cp -v $FWDIR/conf/malware_config{,_BKP}`
4	Edit the `$FWDIR/conf/malware_config` file: `vi $FWDIR/conf/malware_config`
5	Change the value of the applicable parameter: To activate IMAP protocol support: In the "`[imap]`" section, change the value of the parameter "`imap_av_policy_on`" from "`0`" to "`1`". To activate POP3 protocol support: In the "`[temp_for_av_profile]`" section, change the value of the parameter "`pop3_enabled`" from "`0`" to "`1`".
6	Save the changes in the file and exit the editor.
7	In SmartConsole, install Threat Prevention Policy.