Configuring Threat Prevention Blade Control

In the Threat Prevention > Threat Prevention Blade Control page you can activate:

  • Intrusion Prevention System (IPS). Blocks potentially malicious attempts to exploit known vulnerabilities in files and network protocols.

  • Anti-Virus. Blocks potentially malicious files that are infected with viruses.

  • Anti-Bot. Detects bots, prevents communication between the bot and its Command & Control center, and gives threat visibility. A bot is malicious software that can infect your computer with malware. A bot infected device can then be used by a Command & Control server to execute different types of attacks (send out SPAM messages or Denial-of-Service attacks against web sites). There are many infection methods. These include if you open attachments that exploit a vulnerability or access a web site that results in a malicious download.

  • Threat Emulation. Gives networks protection against unknown threats in files that are downloaded from the Internet or attached to emails. In emulation, the file is opened on more than one virtual computer with different operating system environments. These virtual computers are closely monitored for unusual and malicious behavior. Any malicious behavior is immediately logged and you can use Prevent mode to block the file from the internal network. Information about malicious files is shared with Check Point ThreatCloud.

You configure all the settings for these blades in the same place and set a single profile for all of them.

To turn a blade on or off:

Move the slider.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

The update status is displayed next to each blade:

  • Up to date

  • Update available

  • Update service unreachable

You can activate the blades to prevent attacks/infection or set them to detect-mode only on the Threat Prevention Engine Settings page. A warning message shows if a blade is in detect-only mode.

The top of the page shows the number of infected devices. For more information, click More details.

One policy is configured for all the blades:

  • Strict - Focuses on security.

  • Recommended - The default option, which gives the best mixture of security and performance for small/medium sized business.

    Note - The performance impact for the "Suspicious Mail Activity" protection in Anti-Bot was changed to High and is now off by default. To enable this protection, you must configure it in a custom policy.

  • Custom - Manually defined by the user.

To create a custom policy for Threat Prevention:

  1. In the Threat Prevention Blade Control page, under Policy, select Custom.

  2. For Tracking options, select one of these options:

    • None – Do not log.

    • Log – Create a log.

    • Alert – Log with an alert.

  3. Under Protection Activation, for each confidence level (High confidence, Medium confidence, and Low confidence), select the applicable action from the list:

    • Ask - Traffic is blocked until the user confirms it is allowed.

    • Prevent - Blocks identified virus or bot traffic, or identified malicious files, from passing through the gateway.

    • Detect - Allows identified virus or bot traffic, or identified malicious files, to pass through the gateway. This traffic is detected and logged.

    • Inactive - The protection is deactivated.

  4. For Severity, select the level:

    • Low or above

    • Medium or above

    • High or above

    • Critical

  5. For Performance impact, select the allowed impact level:

    • Low

    • Medium or lower

    • High or lower

  6. To load the policy default values, click Load default settings:

    • Recommended

    • Strict

  7. To save all settings on the Threat Prevention Blade Control page, click Apply.

To schedule updates:

  1. Click Schedule.

    The Activate Automatic Updates window opens.

  2. Select the Software Blades to receive automatic updates:

    • IPS

    • Anti-Virus

    • Anti-Bot

    • Application Control

  3. Select the Recurrence and Time of day.

  4. Click Apply.