Configuring Advanced Threat Emulation Settings
Updating Threat Emulation
Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. connects to the ThreatCloud
The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. to update the engine and the operating system images. The default setting for the Threat Emulation appliance is to automatically update the engine and images.
The default setting is to download the package once a day.
|
Best Practice - Configure Threat Emulation to download the package when there is low network activity. |
Update packages for the Threat Emulation operating system images are usually more than 2GB. The actual size of the update package is related to your configuration.

Step |
Instructions |
---|---|
1 |
In SmartConsole |
2 |
From the Custom Policy Tools section, click Updates. The Updates page opens. |
3 |
Under Threat Emulation, click Schedule Update. |
4 |
Select or clear these settings:
|
5 |
To configure the schedule for Threat Emulation engine or image updates, click Configure. |
6 |
![]()
|
7 |
Click OK, and then install the Threat Prevention policy. |
Updating Threat Emulation Images
Update packages for the Threat Emulation operating system images are usually more than several Gigabytes. The actual size of the update package is related to your configuration.
The default setting is to download the package once a week on Sunday. If Sunday is a work day, we recommend that you change the update setting to a non-work day.

Step |
Instructions |
---|---|
1 |
In SmartConsole, select Security Policies > Threat Prevention. |
2 |
From the Custom Policy Tools section, click Updates. The Updates page opens. |
3 |
Under Threat Emulation, click Update Images. |
4 |
Select a gateway. Click OK. |
5 |
Install the Threat Prevention policy. |
Fine-Tuning the Threat Emulation Appliance
You can change these advanced settings on the Threat Emulation appliance to fine-tune Threat Emulation for your deployment.
Configuring the Emulation Limits
To prevent too many files that are waiting for emulation, configure these emulation limits settings:
-
Maximum file size (up to 100,000 KB)
-
Maximum time that the Software Blade
Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. does emulation
-
Maximum time that a file waits for emulation in the queue (for Threat Emulation appliance only)
If emulation is not done on a file for one of these reasons, the Fail Mode settings for Threat Prevention define if a file is allowed or blocked, (see Fail Mode).
Select the behavior of the ThreatSpect engine if it is overloaded or fails during inspection. For example, if the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. inspection is terminated in the middle because of an internal failure. By default, in such a situation all traffic is allowed.
-
Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
-
Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.
You can configure the maximum amount of time that a file waits for the Threat Emulation Software Blade to do emulation of a file. There is a different setting that configures the maximum amount of time that emails are held in the MTA, (see Configuring the Network to Use an MTA).
If the file is waiting for emulation more than the maximum time:
-
Threat Emulation Software Blade - The Threat Prevention profile settings define if a file is allowed or blocked
-
MTA - The MTA settings define if a file is allowed or blocked

Step |
Instructions |
---|---|
1 |
In the Threat Prevention tab, select Advanced > Engine Settings. The Engine Settings pane opens. |
2 |
From the Threat Emulation Settings section, click Configure settings. The Threat Emulation Settings window opens. |
3 |
Configure the settings for the emulation limits. |
4 |
From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation:
|
5 |
Click OK, and then install the policy. |
Configuring Emulation Limits

Step |
Instructions |
---|---|
1 |
In SmartConsole, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings. The Threat Emulation Engine Settings window opens. |
2 |
Click Configure settings. The Threat Emulation Settings window opens. |
3 |
Configure the settings for the emulation limits.zzz
|
4 |
Click OK, and then install the policy. |
Changing the Local Cache
When a Threat Emulation analysis finds that a file is clean, the file hash is saved in a cache. Before Threat Emulation sends a new file to emulation, it compares the new file to the cache. If there is a match, it is not necessary to send it for additional emulation. Threat Emulation uses the cache to help optimize network performance. We recommend that you do not change this setting.

Step |
Instructions |
---|---|
1 |
In the Threat Prevention tab, select Advanced > Engine Settings. The Engine Settings pane opens. |
2 |
From the Threat Emulation Settings section, click Configure settings. The Threat Emulation Settings window opens. |
3 |
From Number of file hashes to save in local cache, configure the number of file hashes that are stored in the cache. |
4 |
Click OK, and then install the policy. |
Changing the Size of the Local Cache

Step |
Instructions |
---|---|
1 |
In SmartConsole, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings. The Threat Prevention Engine Settings window opens. |
2 |
Click Configure Settings. The Threat Emulation Settings window opens. |
3 |
From Number of file hashes to save in local cache, configure the number of file hashes that are stored in the cache. |
4 |
Click OK, and then install the policy. |
Threat Emulation Virtual Interface
The Threat Emulation appliance must have a virtual IP address and netmask to do file emulation. This setting is not used for emulation in the ThreatCloud.
|
Important - Only change this virtual IP address if it is already used in your network. |

Step |
Instructions |
---|---|
1 |
In SmartConsole, go to Manage & Settings > Blades > Threat Prevention. |
2 |
Under Threat Prevention, click Advanced Settings. |
3 |
Scroll down and from the Threat Emulation Settings section, click Configure settings. The Threat Emulation Settings window opens. |
4 |
Enter the Network and Mask for the IP address for the virtual interface. |
5 |
Click OK, and then install the policy. |