Configuring Threat Emulation Settings

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly.

To verify DMZ interface configuration

Step	Instructions
1	From the left navigation panel, click Gateways & Servers.
2	Double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.
3	From the left navigation tree, click Network Management.
4	Double-click a DMZ interface.
5	In the General page of the Interface window, click Modify.
6	In the Topology Settings window, click Override and select Interface leads to DMZ.
7	Click OK.

Do this procedure for each interface that goes to the DMZ.

If there is a conflict between the Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. settings in the profile and for the Security Gateway, the profile settings are used.

To configure Threat Emulation settings for a Threat Prevention profile

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Threat Prevention.
2	From the Custom Policy Tools section, click Profiles. The Profiles page opens.
3	Right-click the profile, and click Edit.
4	From the navigation tree, go to Threat Emulation and configure these settings: Threat Emulation General Settings Threat Emulation Environment Threat Emulation Advanced Settings
5	Click OK and close the Threat Prevention profile window.
6	Install the Threat Prevention policy.

Important - To emulate a file, the Security Gateway must receive the full file. Threat Emulation does not work on a file if only a part of it was downloaded.

Threat Emulation General Settings

On the Threat Emulation > General page, you can configure these settings:

UserCheck Settings

Prevent - Select the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. message that opens for a Prevent action
Ask - Select the UserCheck message that opens for an Ask action

Protected Scope

Protocols

File Types

Here you can configure the Threat Emulation Action and Emulation Location for each file type scanned by the Threat Emulation Software Blade.

Select one of these file types

Process all enabled file types - This option is selected by default. Click the blue link to see the list of supported file types. Out of the supported file types, select the files to be scanned by the Threat Emulation Software Blade.

Note - You can find this list of supported file types also in Manage & Settings view > Blades > Threat Prevention > Advanced Settings > Threat Emulation > File Type Support.

Process specific file type families - Click Configure to change the action or emulation location for the scanned file types.

To change the emulation action for a file type, click the applicable action in the Action column and select one of these options:

Inspect - The Threat Emulation Software Blade scans these files.
Bypass - Files of this type are considered safe and the Software Blade does not do emulation for them.

To change the emulation location for a file type, click Emulation Location and select one of these options:

According to gateway - The Emulation Location is according to the settings defined in the Gateway Properties window of each gateway.
Locally - Emulation for these file types is done on the gateway. This option is not supported for R80.40.
ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. - These file types are sent to the ThreatCloud for emulation.

Note - If the emulation location selected in the profile is different than the emulation location configured on the Security Gateway, then the profile settings override.

Threat Emulation Environment

You can use the Emulation Environment window to configure the emulation location and images that are used for this profile:

The Analysis Locations section lets you select: where the emulation is done.
- To use the Security Gateway settings for the location of the virtual environment, click According to the gateway.
- To configure the profile to use a different location of the virtual environment, click Specify and select the applicable option.
The Environments section lets you select the operating system images on which the emulation is run. If the images defined in the profile and the Security Gateway or Threat Emulation appliance are different, the profile settings are used.

These are the options to select the emulation images:
- To use the emulation environments recommended by Check Point security analysts, click Use Check Point recommended emulation environments.
- To select other images for emulation, that are closest to the operating systems for the computers in your organization, click Use the following emulation environments.

Threat Emulation Advanced Settings

Emulation Connection Handling Mode lets you configure Threat Emulation to allow or block a connection while it finishes the analysis of a file. You can also specify a different mode for SMTP and HTTP services. See the The Threat Emulation Solution chapter for details.
Static Analysis optimizes file analysis by doing an initial analysis on files. If the analysis finds that the file is simple and cannot contain malicious code, the file is sent to the destination without additional emulation. Static analysis significantly reduces the number of files that are sent for emulation. If you disable it, you increase the percentage of files that are sent for full emulation. The Security Gateways do static analysis by default, and you have the option to disable it.
Logging lets you configure the system to generate logs for each file after emulation is complete. If Log every file scanned is enabled, then every file that is selected in Threat Emulation > General > File Types is logged, even if no operation is performed on it. If Log every file scanned is disabled, malicious files are still logged.

Additionally Supported Protocols for Threat Emulation

In addition to HTTP, FTP and SMTP protocols, which you can select in the SmartConsole, the Threat Emulation Software Blade also supports the IMAP and POP3 protocols:

To activate IMAP protocol support

Step	Instructions
1	Connect to the command line on your Security Gateway.
2	Log in to the Expert mode.
3	Back up this file: `$FWDIR/conf/malware_config` Run: `cp -v $FWDIR/conf/malware_config{,_BKP}`
4	Edit this file: `$FWDIR/conf/malware_config` Run: `vi $FWDIR/conf/malware_config`
5	In the `[imap]` section, change the value of this parameter: `imap_av_policy_on` from "`0`" to "`1`"
6	Save the changes in the file and exit the Vi editor.
7	Install Policy.

To activate POP3 protocol support

Step	Instructions
1	Connect to the command line on the Security Gateway.
2	Log in to the Expert mode.
3	Back up the file: `$FWDIR/conf/malware_config` Run: `cp -v $FWDIR/conf/malware_config{,_BKP}`
4	Edit the file: `$FWDIR/conf/malware_config` Run: `vi $FWDIR/conf/malware_config`
5	In the `[temp_for_av_profile]` section, change the value of the parameter `pop3_enabled` from "`0`" to "`1`".
6	Save the changes in the file, and then exit the Vi editor.
7	Install Policy.

Use Case

Configuring Threat Emulation location

Corp X is located in ThreatLand. The ThreatLand law does not allow you to send sensitive documents to cloud services which are outside of the country. The system administrator of Corp X has to configure the location for the Threat Emulation analysis, so that it is not done outside of the country.

To configure the Threat Emulation analysis location

Step	Instructions
1	In the Gateways & Servers view, double-click a gateway, go to Threat Emulation > Analysis Location.
2	Select: Locally (not supported for R80.40) OR Remote Emulation Appliances. Click the + sign to select the applicable gateways from the drop-down list.
3	Click OK.

Step

Instructions

In the Gateways & Servers view, double-click a gateway, go to Threat Emulation > Analysis Location.

Select:

Locally (not supported for R80.40)

Remote Emulation Appliances. Click the + sign to select the applicable gateways from the drop-down list.

Click OK.

Note - You can also configure Threat Emulation analysis location in the profile settings. Go to Security Policies > Threat Prevention > Profiles > double-click a profile > Threat Emulation > Emulation Environment > Analysis Location > Specify.