Threat Prevention Engine Settings - Autonomous Threat Prevention
This section explains how to configure advanced Threat Prevention settings that are in the Engine Settings window, including: inspection engines, the Check Point Online Web Service (ThreatCloud
The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. repository), internal email whitelist, file type support for Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and more.
To get to the Engine Settings window, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings.
The Threat Prevention Engine Settings window opens.
Fail Mode
Select the behavior of the ThreatSpect engine if it is overloaded or fails during inspection. For example, if the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. inspection is terminated in the middle because of an internal failure. By default, in such a situation all traffic is allowed.
-
Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
-
Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.
By default, all Security Gateways that are controlled by a single Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., act the same according to t fail mode configuration of the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
Starting from R81.20, you can control the fail mode configuration for each individual Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. by using the malware_config file.
Valid Values
|
Value |
Description |
|---|---|
|
by_policy |
This is the default value. Fail mode is determined by the policy. |
|
open |
All connections to the specific Security Gateway are allowed in a situation of engine overload or failure. |
|
close |
All connections to the specific Security Gateway are blocked in a situation of engine overload or failure. |
To set fail mode on a specific Security Gateway:
-
Connect to the command line on the Security Gateway.
-
Log in to the Expert mode.
-
Backup the current
$FWDIR/conf/malware_configfile:[Expert@HostName]# cp $FWDIR/conf/malware_config $FWDIR/conf/malware_config_ORIGINAL -
Set the required fali mode for the specific Security Gateway:
To set the fail mode to be controlled by the policy, run:
[Expert@HostName]# sed -ie 's/^fail_close=.*$/fail_close=by_policy/' $FWDIR/conf/malware_configTo set the fail mode to "open", run:
[Expert@HostName]# sed -ie 's/^fail_close=.*$/fail_close=open/' $FWDIR/conf/malware_configTo set fail mode to "close", run:
[Expert@HostName]# sed -ie 's/^fail_close=.*$/fail_close=close/' $FWDIR/conf/malware_config
Check Point Online Web Service
The Check Point Online Web Service is used by the ThreatSpect engine for updated resource categorization. The responses the Security Gateway gets are cached locally to optimize performance. Access to the cloud is required if the response is not cached. Resource classification mode determines if the connection is allowed or suspended while the Security Gateway queries the Check Point Online Web Service.
-
Block connections when the web service is unavailable:
-
When selected, connections are blocked when there is no connectivity to the Check Point Online Web Service.
-
When cleared, connections are allowed when there is no connectivity (default).
-
-
These settings are relevant for Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. and Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH..-
Background - connections are allowed until categorization is complete - When a connection cannot be categorized with a cached response, an uncategorized response is received. The connection is allowed, and in the background, the Check Point Online Web Service continues the categorization procedure. After the classification is complete, a "Detect
UserCheck rule action that allows traffic and files to enter the internal network and logs them." log is generated. The log includes this description: "Connection was allowed because background classification mode was set". The response is cached locally for future requests (default).
This option reduces latency in the categorization process. -
Hold - connections are blocked until categorization is complete - When a connection cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.
-
Custom - configure different settings depending on the service - Lets you set different modes for Anti-Virus, Anti-Bot and Zero Phishing. For example, click Customize to set Anti-Bot to Hold mode and Anti-Virus and Zero Phishing to Background mode.
If you change Background mode to Hold mode, the Security Gateway holds the file and does not send it to the client browser. The Browser shows the file as still being downloaded, but the download is stuck at some point. The Security Gateway continues the download only after the scan is complete or if a timeout occurred at the Security Gateway. If the file is malicious, the Security Gateway stops sending the file.
Note - If the "Prevent
UserCheck rule action that blocks traffic and files and can show a UserCheck message." action is used in the Threat Prevention policy, then a file that Threat Emulation identified as malware in the past, is blocked. The file will not be sent to the destination even in the "Background" mode. -
Connection Unification
Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or a site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log. For connections that are allowed or blocked the Anti-Bot, Threat Emulation, and Anti-Virus, the default session is 10 hours (600 minutes).
To adjust the length of a session
|
Step |
Instructions |
|---|---|
|
1 |
Go to Manage & Settings > Blades > Threat Prevention > Advanced Settings > General > Connection Unification > Session unification timeout (minutes). |
|
2 |
Enter the required value. |
|
3 |
Click OK. |
Configuring Anti-Bot Whitelist
The Suspicious Mail engine scans outgoing emails. You can create a list of email addresses or domains whose internal emails are not inspected by Anti-Bot.
To add an email address or domain whose internal emails are not scanned by Anti-Bot
|
Step |
Instructions |
|---|---|
|
1 |
Go to the Manage & Settings > Blades > Threat Prevention > Advanced Settings > Anti-Bot. |
|
2 |
Click the + sign. |
In this window, you can also edit or remove the entries in the list.
File Type Support for Threat Emulation and Threat Extraction
File Type Support for Threat Emulation and Threat Extraction in Autonomous Threat Prevention is not configured in Engine Settings. To configure file type support settings for Autonomous Threat Prevention, go to Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Autonomous Policy > File Protections.