Advanced Threat Prevention Engine Settings

In the Threat Prevention > Threat Prevention Engine Settings page you can configure advanced configuration settings for the Anti-Virus, Anti-Bot, Threat Emulation, and IPS engines.

Note - Many of the configurations below are advanced and should only be used by experienced administrators.

 

IPS

Configure the settings for newly downloaded protections:

  • Active

  • Detect

  • Inactive

To configure the IPS engine to bypass mode when the appliance is under heavy load:

  1. Select the Bypass under load checkbox to activate the feature.

  2. Click Configure to select the thresholds upon which IPS engine toggles between bypass and inspection modes. Follow the instructions in the window that opens and click Apply.

    Thresholds are configured for CPU Usage and Memory Usage. There is always a high watermark and a low watermark. Bypass occurs when the high watermark is exceeded and the IPS engine continues inspection when the load drops below the low watermark. In this way when under load, the IPS engine does not toggle between modes too frequently.

  3. In Bypass under load tracking, to configure tracking options for this feature, select what type of log to issue.

To enable Detect-only mode:

Click the checkbox.

To import IPS protections:

Click the link.

 

Anti-Virus

To configure the Anti-Virus settings:

  1. Select one of the protected scope options:

    • Scan both incoming and outgoing files - Files that originate from outside the organization and from within the organization to the Internet are inspected.

  2. Select the protocols to scan for the selected scope:

    • HTTP (on any port)

    • Mail (SMTP, POP and IMAP

    • FTP

    SSL traffic inspection must be activated to scan HTTP and IMAP encrypted traffic. To activate, click the link or go to Access Policy > SSL Inspection Policy.

  3. Select one of the file type policy options:

    • Process file types known to contain malware

    • Process all file types

    • Process specific file type families - Click Configure for a list of file types and set prescribed actions to take place when these files pass through the Anti-Virus engine. To edit an action for a specified file type, right-click the row and click Edit.

      • Scan - The Anti-Virus engine scans files of this type.

      • Block - The Anti-Virus engine does not allow files of this type to pass through it.

      • Pass - The Anti-Virus engine does not inspect files of this type and lets them pass through.

        You cannot delete system defined file types. System defined file types are recognized by built-in signatures that cannot be edited. Manually defined file types are recognized by their extension and are supported through the web and mail protocols.

  4. You can set policy overrides to override the general policy setting defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: Ask, Prevent, Detect, Inactive, or According to policy (no override). See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.

    • URLs with malware - Protections related to URLs that are used for malware distribution and malware infection servers.

    • Viruses - Real-time protection from the latest malware and viruses by examining each file against the Check Point ThreatCloud database.

To enable Detect-only mode:

Click the checkbox.

 

Anti-Bot

You can set policy overrides to override the general policy settings defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: Ask, Prevent, Detect, Inactive, or According to policy (no override). See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.

  • Malicious activity - Protections related to unique communication patterns of botnet and malware specified families.

  • Reputation domains - Protections related to Command & Control (C&C) servers. Each host is checked against the Check Point ThreatCloud reputation database.

  • Reputation IPs - Protections related to Command & Control (C&C) servers. Each IP is checked against the Check Point ThreatCloud reputation database.

  • Reputation URLs - Protections related to Command & Control (C&C) servers. Each URL is checked against the Check Point ThreatCloud reputation database.

  • Unusual activity - Protections related to the behavioral patterns common to botnet and malware activity.

To enable Detect-only mode:

Click the checkbox.

 

Threat Emulation

To configure the Threat Emulation settings:

  1. Select one of the protected scope options:

    • Scan both incoming and outgoing files - Files that originate from outside the organization and from within the organization to the Internet are inspected.

  2. Select the protocols to scan for the selected scope:

    • HTTP (on any port)

    • Mail (SMTP, POP3 and IMAP.

      SSL traffic inspection must be activated to scan HTTP and IMAP encrypted traffic. To activate, click the link or go to Access Policy > SSL Inspection Policy.

  3. For file type policy:

    • Process specific file type families - Click Configure for a list of file types and set prescribed actions to take place when these files pass through the Threat Emulation engine.

      To edit an action for a specified file type, right-click the row and click Edit. You can also click the file type so it is selected and then click Edit.

      • Inspect - The Threat Emulation engine inspects files of this type.

      • Bypass - The Threat Emulation engine does not inspect files of this type and lets them pass through.

        You cannot delete system defined file types. System defined file types are recognized by built-in signatures that cannot be edited.

  4. Select the HTTP connection emulation handling mode:

    • Background - Connections are allowed until emulation is complete.

    • Hold - Connections are blocked until emulation is complete.

In Threat Emulation, each file is run in the Check Point Public ThreatCloud to see if the file is malicious. The verdict is returned to the gateway.

You can change the emulator location to a local private SandBlast appliance in the Advanced Settings page.

You must first enable the Threat Emulation blade and then configure it for remote emulation.

To enable the Remote Private Cloud Threat Emulation emulator:

  1. Go to Device > Advanced Settings.

  2. Search for Threat Prevention Threat Emulation policy - Emulation location.

  3. Select Emulation is done on remote (private) SandBlast.

  4. Add or update the emulator IP address.

  5. Click Apply.

To disable the Remote Private Cloud TThreat Emulation emulator:

  1. Go to Device > Advanced Settings.

  2. Search for Threat Prevention Threat Emulation policy - Emulation location.

  3. Select Emulation is done on Public ThreatCloud.

  4. Click Apply.

To configure multiple remote emulators, you must use CLI commands.

For more information on Threat Emulation, see the Threat Emulation video on the Small Business Security video channel.

To enable Detect-only mode:

Click the checkbox.

 

User Messages

You can customize messages for protection types set with the Ask action. When traffic is matched for a protection type that is set to Ask, the user's internet browser shows the message in a new window.

These are the Ask options and their related notifications:

Option Anti-Virus Notification Anti-Bot Notification

Ask

Shows a message to users and asks them if they want to continue to access a site or download a file that was classified as malicious.

Shows a message to users and notifies them that their computer is trying to access a malicious server.

Block

Shows a message to users and blocks the site.

Anti-Bot blocks background processes. If a specified operation from a browser to a malicious server is blocked, a message is shown to the user.

To customize messages:

  1. Click Customize Anti-Virus user message or Customize Anti-Bot user message.

  2. Configure the options in each of these tabs:

    • Ask

    • Block

  3. Configure the applicable fields for the notifications:

    • Title - Keep the default or enter a different title.

    • Subject - Keep the default or enter a different subject.

    • Body - Keep the default or enter different body text. You can click Optional keywords for a list of keywords that you can add in the body text to give the user more information.

    • Ignore text (only for Ask) - If the user decides to ignore the message, this is the text that is shown next to the checkbox. Keep the default text or enter different text.

    • User must enter a reason (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box to enter the reason.

    • Fallback action (only for Ask) - Select an alternative action (Block or Accept) for when the notification cannot be shown in the browser or application that caused the notification, most notably in non-web applications.

      • If the Fallback action is Accept - The user can access the website or application.

      • If the Fallback action is Block - The website or application is blocked, and the user does not see a notification.

    • Frequency - You can set the number of times that the Anti-Virus, Anti-Bot, or Threat Emulation Ask user message is shown.

      • Once a day

      • Once a week

      • Once a month

    • Redirect the user to a URL (only for block) -

      You can redirect the user to an external portal, not on the gateway. In the URL field, enter the URL for the external portal. The specified URL can be an external system. It gets authentications credentials from the user, such as a user name or password. It sends this information to the gateway.

  4. Click the Customize tab to customize a logo for all portals shown by the appliance (Hotspot and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default.

  5. Click Apply.