Configuring Threat Extraction Settings

Note - You can configure some of the Threat Extraction features in a configuration file, in addition to SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. and the CLI. See sk114613.

Threat Extraction General Settings

On the Threat Extraction > General page, you can configure these settings:

UserCheck Settings

• Allow the user to access the original file

• Allow access to original files that are not malicious according to Threat Emulation

  Note - This option is only configurable when the Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is activated on the General Properties pane of the profile.

• UserCheck Message

  You can create or edit UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. messages on the UserCheck page (see ).

  Select a message to show the user when the user receives the clean file.

  In this message, the user selects if they want to download the original file or not.

  Selecting the success or cancellation messages of the file download

  Step	Instructions
  1	Go to Manage & Settings.
  2	Select Blades > Threat Prevention.
  3	Select Advanced Settings > UserCheck (see ).

  You can customize a UserCheck message only for SMTP files. For HTTP files (supported on Security Gateways R80.30 and above), the message which the user gets is not customizable in SmartConsole. You can only customize it on the gateway.

  Optional

  To give the user access to the original email, you can add the Send Original Mail field in the Threat Extraction Success Page.

  Step	Instructions
  1	Go to Threat Prevention.
  2	Select Custom Policy Tools > UserCheck > Threat Extraction > Success Page.
  3	Right-click > Clone.
  4	Click inside the message > Insert Field, and then select Send Original Mail. The Send Original Mail is added to the message body.

Protocol

• Web (HTTP/HTTPS) - Supported from Security Gateways R80.30 and above. To allow web support, enable HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi., (see HTTPS Inspection > section "Enabling HTTPS Inspection"). By default, Threat Extraction web support works on these standard ports: HTTP - Port 80, HTTPS - Port 443, HTTPS Proxy - Port 8080.

  To enable web support on other ports, create a new TCP service. In General > Protocol select HTTP, and in Match By, select Customize and enter the required port number.

  Notes: After a file is scanned by the Threat Extraction Software Blade, the user receives a message on the action that was done on the file. To customize the message, see sk142852. Threat Extraction web support applies to web downloads, but not web uploads.

• Mail (SMTP) - Click Mail to configure the SMTP traffic inspection by the Threat Extraction Software Blade. This links you to the Mail page of the Profile settings, (see Configuring Mail Settings).

For information on storage of the original files, see Storage of Original Files.

Extraction Method

• Extract potentially malicious parts from files - Selected by default

  Click Configure to select which malicious parts the Software Blade extracts. For example, macros, JavaScript, images and so on.

• Convert to PDF - Converts the file to PDF, and keeps text and formatting.

  Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly.

Extraction Settings

• Process all files

  Selected by default.

• Process malicious files when the confidence level is

  Set a Low, Medium, or High confidence level. This option is only configurable when the Threat Emulation Software Blade is activated in the General Properties pane of the profile.

File Types

• Process all enabled file types - This option is selected by default. Click the blue link to see the list of supported file types. Out of the supported file types, select the files to be scanned by the Threat Extraction Software Blade.

  Note - You can find this list of supported file types also in Manage & Settings view > Blades > Threat Prevention > Advanced Settings > Threat Extraction > Configure File Type Support.

• Process specific file type families

  Here you can configure a different extraction method for certain file types. Click Configure to see the list of enabled file types and their extraction methods. To change the extraction method for a file type, right-click the file type and select: bypass, clean or convert to PDF. You can select a different extraction method for Mail and Web.

Notes: Supported file types for web are: Word, Excel, PowerPoint and PDF. For e-mail attachments: For jpg, bmp, png, gif, and tiff files - Threat Extraction supports only extraction of potentially malicious content. For hwp, jtd, eps files - Threat Extraction supports only conversion to PDF. For Microsoft Office and PDF files and all other file types on the list - Threat Extraction supports both extraction of potentially malicious content and conversion to PDF. You can also configure supported file types in the configuration file. For explanation, see sk112240.

Protected Scope

Threat Extraction protects incoming files from external interfaces and DMZ. The user cannot configure the protected scope.

Threat Extraction Advanced Settings

On the Threat Extraction > Advanced page, you can configure these settings:

• Logging

  • Log only those files from which threats were extracted - Logs only files on which an operation was performed (clean or convert).

  • Log every file -Every file that is selected in Threat Extraction > General > File Types is logged, even if no operation was performed on them.

• Threat Extraction Exceptions

  • Corrupted files

    Block or Allow corrupted files attached to the email or downloaded from the web. Corrupted files are files the Software Blade fails to process, possibly because the format is incorrect. Despite the incorrect format, the related application (Word, Adobe Reader) can sometimes show the content.

    Block removes the corrupted file and sends the recipient a text which describes how the file contained potentially malicious content. You can block corrupt files if they are malicious according to Threat Emulation. If the action is block, you can deny access to the original corrupted file.

    Allow lets the recipient receive the corrupted file.

  • Encrypted files

    Block or Allow encrypted files attached to the email or downloaded from the web.

    Block removes the encrypted file and sends the recipient a text file which describes how the file contained potentially malicious content.

    If the action is block, you can also deny access to the original encrypted file.

    Allow lets the recipient receive the encrypted file.

Use Cases

Scenario 1: Excluding senders from scanning

Scanning takes time and resources, so if you know a source is safe, you may want to stop scanning the reports from this source.

Example:

• Control and Monitoring systems that send daily reports to IT departments.

• Reports sent by a Mail Relay server about spam emails that it stopped.

Scenario 2: Allowing digitally signed emails without scanning

The attorneys at the legal department in Corp X send and receive contracts and other legal documents signed with a digital signature. According to Corp X's Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., the Threat Extraction blade scans all files received by the legal department. A digital signature must show the authenticity of a document. If the Threat Extraction blade scans the document, the digital signature can no longer prove the document's authenticity. The configuration, therefore, must allow digitally signed emails.

In the profile settings > Mail > Exceptions > Threat Extraction Exceptions > Signed email attachments, the default option is Allow. This configuration makes sure that when you receive a digitally signed email, it will be allowed with no scanning, so the form of the email does not change.

Scenario 3:

For security reasons, the IT department in Corp X changed the default extraction method in the Threat Prevention profile from Extract potentially malicious parts from files to Convert to PDF.

The economists in the Finance Department in Corp X receive certain files by email in excel formats, or download excel files from the Web, and must work on them in the files' original format. To keep the excel files in their original formats you must set the Threat Extraction to clean the files and not convert them to PDF.