Configuring Advanced Threat Emulation Settings - Autonomous Threat Prevention

Updating Threat Emulation

Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. connects to the ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. to update the engine and the operating system images. The default setting for the Threat Emulation appliance is to automatically update the engine and images.

The default setting is to download the package once a day.

Best Practice - Configure Threat Emulation to download the package when there is low network activity.

Update packages for the Threat Emulation operating system images are usually more than 2GB. The actual size of the update package is related to your configuration.

To enable or disable Automatic Updates for Threat Emulation

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Security Policies > Threat Prevention > Autonomous Policy > Autonomous Policy Tools.

Step	Instructions
1	Go to Updates. The Updates page opens.
2	Under Threat Emulation, click Schedule Update.
3	Select or clear these settings: Enable Threat Emulation engine scheduled update Enable Threat Emulation images scheduled update
4	To configure the schedule for Threat Emulation engine or image updates, click Configure.
5	Configure the automatic update settings to update the database: To update every few hours, select Update every, and configure the number of hours, minutes, and seconds. To update daily, select Update at > Daily and select the hour of update. To update once or more for each week or month: Select At and enter the time of day. Click Days. Click Days of week or Days of month. Select the applicable days.
6	Click OK, and install the Threat Prevention policy.

Updating Threat Emulation Images Manually

Update packages for the Threat Emulation operating system images are usually more than several Gigabytes. The actual size of the update package is related to your configuration.

The default setting is to download the package once a week on Sunday. If Sunday is a work day, we recommend that you change the update setting to a non-work day.

To update the operating system image for Threat Emulation on a gateway

In SmartConsole, go to Security Policies > Threat Prevention >Autonomous Policy > Autonomous Policy Tools.

Step	Instructions
1	Go to Updates. The Updates page opens.
2	Under Threat Emulation, click Update Images.
3	Select a gateway. Click OK.
4	Install the Threat Prevention policy.

Fine-Tuning the Threat Emulation Appliance

You can change the advanced settings on the Threat Emulation appliance to fine-tune Threat Emulation for your deployment.

Configuring the Emulation Limits

To prevent too many files that are waiting for emulation, configure these emulation limit settings:

Maximum file size (up to 100,000 KB)
Maximum time that the Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. does emulation
Maximum time that a file waits for emulation in the queue (for Threat Emulation appliance only)

If emulation is not done on a file for one of these reasons, the Fail Mode settings for Threat Prevention define if a file is allowed or blocked:

Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.

To configure the emulation limits

Step	Instructions
1	In SmartConsole, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings. The Threat Prevention Engine Settings window opens.
2	Go to Threat Emulation tab > Emulation Limits.
3	Configure the Maximum file size for emulation and the Maximum file time in queue.
4	From When limit is exceeded traffic is accepted with track, select the action if a file is not sent for emulation: None - No action is done Log - The action is logged Alert - An alert is sent to SmartView Monitor
5	Click OK, and then install the policy.

Changing the Size of the Local Cache

When a Threat Emulation analysis finds that a file is clean, the file hash is saved in a cache. Before Threat Emulation sends a new file to emulation, it compares the new file to the cache. If there is a match, it is not necessary to send it for additional emulation. Threat Emulation uses the cache to help optimize network performance. We recommend that you do not change this setting.

To change the size of the local cache

Step	Instructions
1	In SmartConsole, select Manage & Settings > Blades > Threat Prevention > Advanced Settings. The Threat Prevention Engine Settings window opens.
2	Go to the Threat Emulation tab > Advanced Settings.
3	In Number of file hashes to save in local cache, configure the number of file hashes that are stored in the cache.
4	Click OK, and install the policy.