Using the Reputation Service to Allow or Block Applications

The Check Point Reputation Service is an online service that gathers information about applications and classifies them as approved or not approved. The classifications are based on the recommendations of Check Point security experts and the hash value of the signed certificate of the application.

The Endpoint Security client uses the recommendation of the Reputation Service for the application, together with the permission setting for the application in the Application Control policy, to decide whether to allow or block the application.

For example, if an application is configured in the Application Control Policy as Unidentified (Allow), and the Reputation Service recommendation for the application is Not Approved, the application is blocked. However, if the administrator explicitly configures the Application Control policy to Allow or Block the application, the policy setting overrides the recommendation of the Reputation Service.

The Endpoint Security client allows or blocks applications according to the following logic:

Reputation Service recommendation for the application

Application Control Policy setting for the application

Decision by the Endpoint Security Client
Approved
  • (Unidentified) Allow
  • (Unidentified) Block
  • Allow
Allow
Approved
  • Block
 Block
Not Approved
  • (Unidentified) Allow
  • (Unidentified) Block
  • Block
 Block

Not Approved
  • Allow

Allow

Pre-Requisites for Using the Reputation Service

  • The Endpoint Security Management Server must have Internet access (on ports 80 and 443) to connect to the Check Point Reputation Service Server. Make sure that this traffic is allowed.

  • We recommend that you add the Reputation Service Server to your Trusted Zone. See Changing the Access Zones Policy.

Using the Reputation Service with a Proxy

If your environment includes a proxy server for Internet access, do the configuration steps below to let the Endpoint Security Management Server connect to the Check Point Reputation Service Server through the proxy server. Note that all configuration entries are case-sensitive.

If your organization uses a proxy server for HTTP and HTTPS traffic, you must configure the Endpoint Security Management Server to work with the proxy server.

To configure use of a proxy server:

  1. From the Endpoint Security Management Server command line, run: cpstop.

  2. Go to $UEPMDIR/engine/conf and open the local.properties file in a text editor.

  3. Add a line for these properties:

    • The proxy server IP address:

      http.proxy.host=<IP address>

    • The proxy server listening port (typically 8080):

      http.proxy.port=<port>

    • If authentication is enabled on the proxy server, add these lines:

      Do not add these lines if authentication is not required.

      http.proxy.user=<username>

      http.proxy.password=<password>

    Make sure that you delete (or do not insert) the '#' character at the beginning of these lines. If you do not do this, all applications are blocked when trying to access the Internet.

  4. Save $UEPMDIR/engine/conf/local.properties and then close the text editor.

  5. Run: cpstart.

Enabling the Reputation Service

In the Policy tab > Application Control rule, select the action: Enable Reputation Service.