Web & Files Protection

This category includes Download (web) Emulation & Extraction, Credential Protection and Files Protection.

URL Filtering

URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. rules define which sites you can access in your organization. The URL Filtering policy is composed of the selected sites and the mode of operation applied to them.

Note: SmartEndpoint A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies. does not support the new capability. It is only supported for web users.

To create the URL Filtering policy:

1. Select the URL Filtering mode of operation:

   • Prevent - Currently supported only in Hold mode. The request to enter a site is suspended until a verdict regarding the site is received.

   • Detect - Allows access if a site is determined as malicious, but logs the traffic.

   • Off -URL Filtering is disabled.

2. Select the categories to which the URL Filtering policy applies:

   1. Go to Web & Files Protection > Advanced Settings > URL Filtering > Categories.

   2. Select the required categories:

      Note - For each category, click Edit to see the sub-categories you can select.

   3. Click OK.

3. Optional: You can select specific URLs to which access is denied. See Blacklisting.

4. If you want Harmony Endpoint to verify and filter all the URLs accessed by an application or a process, select the Enable Network URL Filtering checkbox. Otherwise, URL filtering is applied only to the URLs accessed through a browser.

The selected mode of operation now applies to the selected categories.

The user can access any site which was not selected in one of the categories or which was not blacklisted.

You can Allow user to dismiss the URL Filtering alert and access the website - This option is selected by default. This lets you access a site determined as malicious, if you think that the verdict is wrong. To do this, go to Advanced Settings > URL Filtering.

Blacklisting

You can define specific URLs or domains as blacklisted. These URLs/domains will be blocked automatically, while other traffic will be inspected by the URL Filtering rules. You can add the URLs/domain names manually or upload a CSV file with the URLs/domain names you want to include in the blacklist.

To add a URL to the blacklist:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. In the URLs pane, for each required URL, enter the URL and click the + sign

3. click OK.

Notes: You can use * and ? as wildcards for blacklisting. * is supported with any string. For example: A* can be ADomain or AB or AAAA. ? is supported with another character. For example, A? can be AA or AB or Ab.

To search for a URL:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. In the search box, enter the required URL.

   The search results appear in the URLs pane.

   You can edit or delete the URL.

To import URLs from an external source:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. Next to the search box, click the sign (import domains list from a 'csv' file).

3. Find the required file and click Open.

4. Click OK.

To export a list of URLs to from the Endpoint Security Management Server to an external source:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. Next to the search box, click the sign (export domains list to a 'csv' file).

3. Click OK.

Malicious Script Protection

Malicious Script Protection scans Uncategorized websites for embedded malicious JavaScripts. If the domain that hosts the script belongs to any one of these categories, then the page is blocked and the event is logged.

• Anonymizer

• Botnets

• Critical Risk

• High Risk

• Medium Risk

• Phishing

• Spam

• Spyware

• Malicious Sites

• Suspicious Content

Note - Ensure that you set URL Filtering Mode to either Prevent or Detect.If it is set to Prevent, the page is blocked and the event is logged. If it is set to Detect, the page is not blocked and the event is logged.

To specify malicious script protection:

• To enable malicious script protection, select Block websites where Malicious Scripts are found embedded in the HTML.

• To allow users to dismiss the malicious script security alert and access the website, select Allow user to dismiss the Malicious Scripts alert and access the website.

Download (Web) Emulation & Extraction

Harmony Endpoint browser protects against malicious files that you download to your device. For the browsers supported with the Harmony Endpoint Browser extension, see Harmony Browse Administration Guide.

Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. detects zero-day and unknown attacks. Files on the endpoint computer are sent to a sandbox for emulation to detect evasive zero-day attacks. The following files types are supported:

Threat Emulation Supported File Types
7z aspx app1 arj bat bz2 CAB csv com cpl dll doc docx dot dotx dotm docm dmg dylib exe gz hwp iso img iqy jar	lnk msi msg O one pif pdf pkg ppt pptx pps pptm potx potm ppam ppsx ppsm ps1 qcow2 rar rtf sh scr sldx sldm	slk swf tar tbz2 tbz tb2 tgz udf uue wim wsf xar xlt xls xlsx xlm xltx xlsm xltm xlsb xla xlam xll xlw xz zip

Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. proactively protects users from malicious content. It quickly delivers safe files while the original files are inspected for potential threats.

To see the list of file types which are supported by Threat Emulation and Threat Extraction, go to Advanced Settings > Threat Emulation > Override Default File Actions > Edit.

These are the configuration options for supported file types:

• Prevent - Send files for emulation and extraction. For further configuration for supported files, go to Advanced Settings > Supported Files:

  • Get extracted copy before emulation completes - You can select one of these two options. The system appends .cleaned to the file name. For example, xxx.cleaned.

    • Extract potential malicious elements - The file is sent in its original file type but without malicious elements. Select which malicious parts to extract. For example, macros, Java scripts and so on.

    • Convert to PDF - Converts the file to PDF, and keeps text and formatting.

      Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly.

  • Suspend download until emulation completes - The user waits for Threat Emulation to complete. If the file is benign, the gateway sends the original file to the user. If the file is malicious, the gateway presents a Block page and the user does not get access to the file. This option gives you more security, but may cause time delays in downloading files. The system downloads the file with the original file name.

  • Emulate original file without suspending access - The gateway sends the original file to the user (even if it turns out eventually that the file is malicious).

  • Allow - All supported files are allowed without emulation. This setting overrides the Prevent setting selected in the main page.

• Detect - Emulate original file without suspending access to the file and log the incident.

• Off - Allow file. No emulation or extraction is done. The download of all supported files is allowed.

Unsupported Files

File types which are not supported by Threat Emulation and Threat Extraction. Unsupported files types can be allowed or blocked. To configure, go to Advanced Settings > Download Protection > Unsupported Files. The settings selected here override the settings selected in the main page.

Additional Emulation Settings

Emulation Environments

To define the maximum size of files that are sent for emulation, go to Advanced Settings > Download Protection > Emulation Environments and specify the file size for Upload and emulate files under.

Notes - Only the Endpoint Security Client Application installed on end-user computers to monitor security status and enforce security policies. version E86.40 and higher support a maximum file size up to 100 MB. Client versions lower than E86.40 support a maximum file size up to 15 MB. Increasing the file size increases the client processing and network traffic required to process large files.

To select the operating system images on which the emulation is run, go to Advanced Settings > Download Protection > Emulation Environments, and select one of these options:

• Use Check Point recommended emulation environments

• Use the following emulation environments - Select other images for emulation, that are closest to the operating systems for the computers in your organization. This is supported only if configured from the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For more information, see Managing Endpoint Components in SmartEndpoint Management Console.

Override Default Files Actions

Harmony Endpoint allows you to override the default file action for the supported and unsupported files.

To override the default file actions, navigate to Advanced Settings > Download Protection > Override default file actions (download).

Note - Supported with Chrome and Brave browsers only.

To override the file action for supported files:

1. In the Supported Files section, click Edit.

2. Select the File action and Extraction Mode.

3. Click OK.

To override the file action for unsupported files:

1. In the Unsupported Files section, click Edit.

   1. To add a file type, click and enter the File type.

   2. To edit a file type, select the file type and click .

   3. To delete a file type, select the file type and click .

2. Select the Download action for the file:

   • Default - The action specified in Unsupported Files.

   • Allow

   • Block

3. (Optional) In the Comments field, enter a comment.

4. Click OK.

Credential Protection

This protection includes two components:

Zero Phishing

Phishing prevention checks different characteristics of a website to make sure that a site does not pretend to be a different site and use personal information maliciously.

There are three configuration options for this protection:

• Prevent - If the site is determined to be a phishing site, users cannot access the site. A log is created for each malicious site.

• Detect - When a user uses a malicious site, a log is created.

• Off - Phishing prevention is disabled.

For further configuration of the Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. protection, go to Advanced Settings > Credential Protection:

• Allow user to dismiss the phishing alert and access the website - Users can select to use a site that was found to be malicious.

• Send log on each scanned site - Send logs for each site that users visit, whether malicious or not.

• Allow user to abort phishing scans - Users can stop the phishing scan before it is completed.

• Scan local HTML files - By default, the extension in Chromium-based browsers (Chrome, Microsoft Edge, and Brave) cannot access the local HTML files opened by the browser to scan them for phishing attacks. This setting prompts users to grant permission to Chromium-based browsers to access and scan local HTML files on your PC.

  Notes: This feature is not supported with Safari and Internet Explorer browser extensions.

  To grant permission to access and scan the local HTML files:

  1. When a user opens a local HTML file, the Harmony Browse request access to file URLs prompt appears. Click Click to copy.

  2. Paste the copied path in the address bar of the Chrome browser and press Enter.

  3. Scroll down and turn on Allow access to file URLs.

  4. If the HTML file has an input field, Harmony Browse scans the file and blocks it, if identified as phishing.

Password Reuse Protection

Alerts users not to use their corporate password in non-corporate domains.

To set the Password Reuse mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

3. In the Capabilities & Exclusions pane, select Web & Files Protection.

4. In the Web & Files Protection tab, scroll-down to Credential Protection.

5. In the Credential Protection section, under Password Reuse, select a mode:

   • Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.

   • Detect mode - The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.

   • Off - Turns off password reuse protection.

6. For Advanced Settings, see Credential Protection.

For further configuration options for password reuse protection, go to Advanced Settings > Credential Protection > Password Reuse Protection > Edit > Protected Domains:

Add domains for which Password Reuse Protection is enforced.Harmony Endpoint keeps a cryptographic secure hash of the passwords used in these domains and compares them to passwords entered outside of the protected domains.

Safe Search

Search Reputation

Search Reputation is a feature added to search engines that classifies search results based on URL's reputation.

Notes: It is supported only with Google, Bing, and Yahoo search engines. To enable this feature, ensure that you set URL Filtering Mode to either Prevent or Detect.

To set the Search Reputation mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule.

3. In the Capabilities & Exclusions pane, select Web & Files Protection.

4. In the Web & Files Protection tab, scroll-down to Search Reputation section and select a mode:

   • On - Turns on the feature.

   • Off -Turns off the feature.

When you enable this feature, the icon across the URL in the search results indicate the classification:

Icon	Classification
	The website is safe. Example:
	The website is not safe. Example:
	The website is blocked by the Administrator. Example:

Note - If the Search Reputation cannot classify a URL, then it does not display an icon across the URL. If you want such URLs to be classified and blocked, then enable the Uncategorized checkbox in URL Filtering > Categories > General Use. The Search Reputation classifies Uncategorized URLs as The website is blocked by the Administrator.

Force Safe Search

Force Safe Search is a feature in search engines that acts as an automated filter for potentially offensive and inappropriate content.

To set the Force Search Reputation mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule.

3. In the Web & Files Protection tab, under Force Safe Search, select a mode:

   • On - Hides explicit content from the search results.

   • Off - User sees the most relevant results for their search, which may include explicit content like images consisting of violence.

Threat Emulation

Files Protection

Protects the files on the file system. This protection has two components:

• Anti-Malware Mode - Protection of your network from all kinds of malware threats, ranging from worms and Trojans to adware and keystroke loggers. Use Anti-Malware A component of the Endpoint Security client that protects against known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. to manage the detection and treatment of malware on your endpoint computers.

  There are three configuration options for this protection:

  • Prevent - Protects your files from malware threats.

  • Detect - Detects the threats, so they appear in the logs, although the virus or malware are still executable. Use this mode with caution.

  • Off - No protection from malware.

  Notes - Starting from the Endpoint Security Client E83.20, Check Point certified the E2 client version (the Anti-Malware engine is DHS compliant) for Cloud deployments. The E1 Anti-Malware blade can scan these archive file formats: ZIP Z LZIP 7Z RAR ISO CAB JAR BZIP2 GZIP DMG XAR TAR ACE The E2 DHS Anti-Malware blade can scan these archive file formats: ZIP Z 7Z RAR ISO CAB JAR BZIP2 GZIP DMG XAR TAR ACE

• Files Threat Emulation Mode - Emulation of files on the system.

  There are three configuration options for this protection:

  • Prevent - Detects a malicious file, logs the event and deletes the file.

  • Detect - Detects a malicious file and logs the event.

  • Off - Files Threat Emulation mode is off. Does not run the Threat Emulation on the file.

This is supported with Endpoint Security client version E86.80 and higher.

Advanced Settings

Files Protection

To configure the advanced settings for files protection, go to Advanced Settings > Files Protections.

General

• Malware Treatment - The malware treatment options let you select what happens to malware that is detected on a client computer:

  • Quarantine file if cure failed - If Endpoint Security cannot repair the file, it is deleted and put in a secure location from where it can be restored if necessary.

  • Delete file if cure failed - If Endpoint Security cannot repair the file, it is deleted.

• Riskware Treatment - Riskware is a legal software that might be dangerous.

  • Treat as malware - Use the option selected for Malware.

  • Skip file - Do not treat riskware files.

• Threat Cloud Knowledge Sharing - To share infected information, statistics and infected file samples with Check Point for analysis, select any of these:

  • Allow sending infection info and statistics to Check Point servers for analysis

  • Allow sending infected file samples to Check Point servers for analysis

  Note - This is supported only with a DHS compliant Harmony Endpoint Security client.

• Scan On Access:

  • Detect unusual activity - Use behavior detection methods to protect computers from new threats whose information were not added to the databases yet. It does not monitor trusted processes.

  • Enable reputation service for files, web resources & processes - Use cloud technologies to improve precision of scanning and monitoring functions. If you enable or disable this setting, it takes affect after the client computer restarts.

  • Connection timeout - Change the maximum time to get a response from Reputation Services (in milliseconds). Default is 600.

    Note - If you decrease this value, it can improve the performance of the Anti-Malware component but reduces security, as clients might not get a reputation status that shows an item to be zero-day malware.

  • Enable web protection - Prevents access to suspicious sites and execution of malicious scripts Scans files, and packed executables transferred over HTTP, and alerts users if malicious content is found.

• Mail Protection - Enable or disable scans of email messages when they are passed as files across the file system.

Signature

• Frequency

  Anti-Malware gets malware signature updates at regular intervals to make sure that it can scan for the newest threats. These actions define the frequency of the signature updates and the source:

  • Update signatures every [x] hours - Signature updates occur every [x] hours from the Endpoint Policy Server Endpoint Policy Server improves performance in large environments by managing most communication with the Endpoint Security clients. Managing the Endpoint Security client communication decreases the load on the Endpoint Security Management Server, and reduces the bandwidth required between sites. The Endpoint Policy Server handles heartbeat and synchronization requests, Policy downloads, Anti-Malware updates, and Endpoint Security client logs. and the External Check Point Signature Server.

  • Signature update will fail after [x] seconds without server response - The connection timeout, after which the update source is considered unavailable.

• Signature Sources

  • External Check point Signature Server - Get updates from a dedicated, external Check Point server through the internet.

  • Local Endpoint Servers - Get updates from the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. or configured Endpoint Policy Server.

  • Other External Source - Get updates from an external source through the internet. Enter the URL.

• Shared signature source - Get updates from a shared location on an Endpoint Security client that acts as a Shared Signature Server. This solution is curated for Virtual Desktop Infrastructure (VDI) environments, but can be leveraged for other scenarios as well. This makes it possible to protect non-persistent virtual desktops in Virtual Desktop Infrastructure (VDI) environments. Each non-persistent virtual desktop runs an Endpoint Security, and gets Anti-Malware and Threat Prevention signatures from a shared folder on the Shared Signature Server that is a persistent virtual machine.

  • Second Priority - Set a fallback update source to use if the selected update source fails. Select a different option than the first signature source.

  • Third Priority - Set a fallback update source to use if the other sources fail.

  Note - If only update from local Endpoint Servers is selected, clients that are disconnected from an Endpoint Security server cannot get updates.

• Shared Signature Server - To set the server as a Shared Signature Server, select the Set as shared signature server checkbox and enter the local path of the folder. For example, C:\Signatures. For more information, see Shared Signatures Server.

Scan

Anti-Malware scans computers for malware at regular intervals to make sure that suspicious files are treated, quarantined, or deleted.

• Perform Periodic Scan - Select one of these options to define the frequency of the scans:

  • Every Month- Select the day of the month on which the scan takes place and the Scan start hour.

  • Every Week - Select the day of the week on which the scan takes place and the Scan start hour.

  • Every Day - Select the scan start hour.

  Optional :

  • Randomize scan time - Mandatory for Virtual Desktop Infrastructure (VDI). Select this option to make sure that not all computers do a scan for malware at the same time. This makes sure that network performance is not affected by many simultaneous scans. In Start scan and End scan, specify the time range during which the scan can start and end.

  • Run initial scan after the Anti-Malware blades installation.

  • Allow user to cancel scan.

  • Prohibit cancel scan if more than days passed since last successful scan.

• Scan Targets - Select the target for the Anti-Malware scan:

  • Critical areas

  • Optical drives

  • Local drives

  • Mail messages

  • Removable drives

  • Unrecognized devices

  • Network devices

  Note - Critical areas and Mail messages are not supported for macOS and with the DHS compliant Anti-Malware blade.

• Scan Target Exclusions - Select the checkboxes to skip scanning of certain files.

  • Skip archives and non executables - Skips scanning of archive file formats (for example, .zip, 7zip, tar.gz, rar, and so on) and non-executable files (files without the execute permission).

    Note - Skip archives and non executables are not supported with the DHS compliant Anti-Malware blade.

  • Do not scan files larger than - Specify the file size limit. If the file size is larger than the specified limit, then the system skips scanning the file. The default file size limit is 20 MB.

    Note - The maximum supported file size for the Anti-Malware scan depends on the endpoint's system specifications, such as CPU, RAM and so on.

Browser Settings

Starting from the Harmony Endpoint Security client E87.10, the extension is pinned to the browser by default for users.

Note - You can unpin the extension only on Chromium browsers, such as Chrome, Edge and Brave. You cannot unpin an extension in Firefox.

To allow users to unpin the browser extension, clear Always pin the browser extension to the tool bar under Pin Extension.