Configuring Anti-Virus Settings

You can configure Threat Prevention to exclude files from inspection, such as internal emails and internal file transfers.

These settings are based on the interface type (internal or external, as defined in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.) and traffic direction (incoming or outgoing).

Before you define the scope for Threat Prevention, you must make sure that your DMZ interfaces are configured correctly.

To check DMZ interface configuration

Perform this procedure for each interface that goes to the DMZ.

Step	Instructions
1	In SmartConsole, click Gateways & Servers and double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object. The Security Gateway properties window opens and shows the General Properties page.
2	From the navigation tree, click Network Management and then double-click a DMZ interface.
3	In the General page of the Interface window, click Modify.
4	In the Topology Settings window, click Override and Interface leads to DMZ.
5	Click OK and close the Security Gateway editor. Perform this procedure for each interface that goes to the DMZ.

In a Threat Prevention profile, you can configure these settings in the Anti-Virus page

UserCheck Settings:
- Prevent - Select the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. message that opens for a Prevent action.
- Ask - Select the UserCheck message that opens for an Ask action.
Protected Scope:
- Inspect incoming files from:
  
  Sends only incoming files from the specified interface type for inspection. Outgoing files are not inspected. Select an interface type from the list:
  - External - Inspect incoming files from external interfaces. Files from the DMZ and internal interfaces are not inspected.
  - External and DMZ - Inspect incoming files from external and DMZ interfaces. Files from internal interfaces are not inspected.
  - All - Inspect all incoming files from all interface types.
- Inspect incoming and outgoing files - Sends all incoming and outgoing files for inspection.
Protocol:
- Web (HTTP/HTTPS))
- FTP
- SMB
- Mail (SMTP) - Click Mail to configure the SMTP traffic inspection. This opens the Mail page of the Profile settings (see Configuring Mail Settings).

File Types:

Process file types known to contain malware - Select this option to scan the files defined by default. To see the default list of files, go to Process specific file type families, and click Configure.
Process all file types -Select Enable deep inspection scanning (impacts performance), if needed.

Process specific file types families

To configure the specific file type families:

Step	Instructions
1	Click Configure.
2	In the File Types Configuration window, for each file type, select the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. action for the file type.
3	Click OK to close the File Types Configuration window.

Archives:

You can select Enable Archive scanning (impacts performance). See Enabling Archive Scanning.

Enabling Archive Scanning

You can configure the Anti-Virus settings to enable archive scanning. The Anti-Virus engine unpacks archives and applies proactive heuristics. The use of this feature impacts network performance.

Select Enable Archive scanning (impacts performance) and click Configure:

Setting	Description
Stop processing archive after (seconds)	Sets the amount in seconds to stop processing the archive. The default is 30 seconds.
When maximum time is exceeded (action on file)	Sets to block or allow the file when the time for processing the archive is exceeded. The default setting is Allow.

Additionally Supported Protocols for Anti-Virus

In addition to HTTP, FTP, SMB and SMTP protocols, which you can select in the SmartConsole GUI, the Anti-Virus Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. also supports the IMAP and POP3 protocols.

Procedure to activate Anti-Virus inspection for IMAP and POP3 protocols

Step	Instructions
1	Connect to the command line on your Security Gateway.
2	Log in to the Expert mode.
3	Back up the `$FWDIR/conf/malware_config` file: `cp -v $FWDIR/conf/malware_config{,_BKP}`
4	Edit the `$FWDIR/conf/malware_config` file: `vi $FWDIR/conf/malware_config`
5	Change the value of the applicable parameter: To activate IMAP protocol support: In the "`[imap]`" section, change the value of the parameter "`imap_av_policy_on`" from "`0`" to "`1`". To activate POP3 protocol support: In the "`[temp_for_av_profile]`" section, change the value of the parameter "`pop3_enabled`" from "`0`" to "`1`".
6	Save the changes in the file and exit the editor.
7	In SmartConsole, install Threat Prevention Policy.