Advanced Threat Prevention Engine Settings

In the Threat Prevention > Threat Prevention Engine Settings page you can configure advanced configuration settings for the Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., and IPS engines.

Note - Many of the configurations below are advanced and should only be used by experienced administrators.

IPS

Configure the settings for newly downloaded protections:

  • Active

  • Detect

  • Inactive

To enable Detect-only mode:

Select the checkbox.

To import IPS protections:

Click the link.

Anti-Virus

Anti-Virus scans incoming files for viruses.

The mail settings include:

  • SMTP - Simple Mail Transfer Protocol is a communication protocol for electronic mail transmission.

  • POP3 - Uses the POP3 protocol to send and receive emails with TLS encryption.

  • IMAP - Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. It allows you to access your email from any device.

To enable POP3S or IMAP scans:

  1. On the Threat Prevention > Engine Settings page, under Anti-Virus Scanned protocols, select the Mail (SMTP, POP3 and IMAP) checkbox.

  2. On the Access Policy > SSL Inspection Policy page, select the checkbox to enable SSL traffic inspection.

  3. Under Protocols to inspect, select POP3S or IMAP.

  4. Click Apply

To configure the Anti-Virus settings:

  1. Select one of the protected scope options:

    • Scan incoming files from - Select one of these interfaces from which to scan incoming files:

      • External and DMZ - Files that originate from external and the DMZ interfaces are inspected.

        Note - DMZ is not supported in 1530 / 1550 appliances.

      • External - Files that originate from external interfaces are inspected.

      • All - Files transferred between all interfaces are inspected.

    • Scan both incoming and outgoing files - Files that originate from outside the organization and from within the organization to the Internet are inspected.

  2. Select the protocols to scan for the selected scope:

    • HTTP (on any port)

    • Mail (SMTP, POP3 and IMAP

    • FTP - Disabled by default.

      To activate FTP:

      1. In the WebUI go to Home > Security Dashboard and turn on the Anti-Virus Software Blade.

      2. Connect to the command line and run this command:

        set threat-prevention anti-virus policy protocol-ftp true

      3. Install Policy.

    You must activate the SSL traffic inspection to scan HTTP and IMAP encrypted traffic. To activate, click the link or go to Access Policy > SSL Inspection Policy.

  3. Select one of the file type policy options:

    • Process file types known to contain malware

    • Process all file types

    • Process specific file type families - Click Configure for a list of file types and set prescribed actions to take place when these files pass through the Anti-Virus engine. To edit an action for a specified file type, right-click the row and click Edit.

      The available actions are:

      • Scan - The Anti-Virus engine scans files of this type.

      • Block - The Anti-Virus engine does not allow files of this type to pass through it.

      • Pass - The Anti-Virus engine does not inspect files of this type and lets them pass through.

        You cannot delete system defined file types. System defined file types are recognized by built-in signatures that cannot be edited. Manually defined file types are recognized by their extension and are supported through the web and mail protocols.

  4. You can set policy overrides to override the general policy setting defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: AskClosed UserCheck rule action that blocks traffic and files and shows a UserCheck message. The user can agree to allow the activity., PreventClosed UserCheck rule action that blocks traffic and files and can show a UserCheck message., DetectClosed UserCheck rule action that allows traffic and files to enter the internal network and logs them., Inactive, or According to policy (no override). See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.

    • URLs with malware - Protections related to URLs that are used for malware distribution and malware infection servers.

    • Viruses - Real-time protection from the latest malware and viruses by examining each file against the Check Point ThreatCloud database.

To enable Detect-only mode:

Select the checkbox.

Anti-Bot

You can set policy overrides to override the general policy settings defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: Ask, Prevent, Detect, Inactive, or According to policy (no override). See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.

  • Malicious activity - Protections related to unique communication patterns of botnet and malware specified families.

  • Reputation domains - Protections related to Command & Control (C&C) servers. Each host is checked against the Check Point ThreatCloud reputation database.

  • Reputation IPs - Protections related to Command & Control (C&C) servers. Each IP is checked against the Check Point ThreatCloud reputation database.

  • Reputation URLs - Protections related to Command & Control (C&C) servers. Each URL is checked against the Check Point ThreatCloud reputation database.

  • Unusual activity - Protections related to the behavioral patterns common to botnet and malware activity.

To enable Detect-only mode:

Select the checkbox.

Threat Emulation

To configure the Threat Emulation settings:

  1. Select one of the protected scope options:

    • Scan Incoming files from - Select one of these interfaces from which to scan incoming files:

      • External and DMZ - Files that originate from external and the DMZ interfaces are inspected.

        Note - DMZ is not supported in 1530 / 1550 appliances.

      • External - Files that originate from external interfaces are inspected.

      • All - Files transferred between all interfaces are inspected.

        Note - LAN to LAN scanning is not supported.

    • Scan both incoming and outgoing files - Files that originate from outside the organization and from within the organization to the Internet are inspected.

  2. Select the protocols to scan for the selected scope:

    • HTTP (on any port)

    • Mail (SMTP, POP3 and IMAP.

      You must activate the SSL traffic inspection to scan HTTP and IMAP encrypted traffic. To activate, click the link or go to Access Policy > SSL Inspection Policy.

  3. For file type policy:

    Process specific file type families - Click Configure for a list of file types and set prescribed actions to take place when these files pass through the Threat Emulation engine.

    To edit an action for a specified file type, right-click the row and click Edit. You can also click the file type so it is selected and then Click Edit.

    The available actions are:

    • Inspect - The Threat Emulation engine inspects files of this type.

    • Bypass - The Threat Emulation engine does not inspect files of this type and lets them pass through.

      You cannot delete system defined file types. System defined file types are recognized by built-in signatures that cannot be edited.

  4. Select the HTTP connection emulation handling mode:

    • Background - Connections are allowed until emulation is complete.

    • Hold - Connections are blocked until emulation is complete.

In Threat Emulation, each file is run in the Check Point Public ThreatCloud to see if the file is malicious. The verdict is returned to the gateway.

You can change the emulator location to a local private SandBlast appliance in the Advanced Settings page.

You must first enable the Threat Emulation blade and then configure it for remote emulation.

To enable the Remote Private Cloud Threat Emulation emulator:

  1. Go to Device > Advanced Settings.

  2. Search for Threat Prevention Threat Emulation policy - Emulation location.

  3. Select Emulation is done on remote (private) SandBlast.

  4. Add or update the emulator IP address.

  5. Click Apply

To disable the Remote Private Cloud Threat Emulation emulator:

  1. Go to Device > Advanced Settings.

  2. Search for Threat Prevention Threat Emulation policy - Emulation location.

  3. Select Emulation is done on Public ThreatCloud.

  4. Click Apply

To configure multiple remote emulators, you must use CLI commands.

For more information on Threat Emulation, see the Threat Emulation video on the Small Business Security video channel.

To enable Detect-only mode:

Select the checkbox.

User Messages

You can customize messages for protection types set with the Ask action. When traffic is matched for a protection type that is set to Ask, the user's internet browser shows the message in a new window.

These are the Ask options and their related notifications:

Option

Anti-Virus Notification

Anti-Bot Notification

Ask

Shows a message to users and asks them if they want to continue to access a site or download a file that was classified as malicious.

Shows a message to users and notifies them that their computer is trying to access a malicious server.

Block

Shows a message to users and blocks the site.

Anti-Bot blocks background processes. If a specified operation from a browser to a malicious server is blocked, a message is shown to the user.

To customize messages:

  1. Click Customize Anti-Virus user message or Customize Anti-Bot user message.

  2. Configure the options in each of these tabs:

    • Ask

    • Block

  3. Configure the applicable fields for the notifications:

    • Title - Keep the default or enter a different title.

    • Subject - Keep the default or enter a different subject.

    • Body - Keep the default or enter different body text. You can click Optional keywords for a list of keywords that you can add in the body text to give the user more information.

    • Ignore text (only for Ask) - If the user decides to ignore the message, this is the text that is shown next to the checkbox. Keep the default text or enter different text.

    • User must enter a reason (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box to enter the reason.

    • Fallback action (only for Ask) - Select an alternative action (Block or Accept) for when the notification cannot be shown in the browser or application that caused the notification, most notably in non-web applications.

      • If the Fallback action is Accept - The user can access the website or application.

      • If the Fallback action is Block - The website or application is blocked, and the user does not see a notification.

    • Frequency - You can set the number of times that the Anti-Virus, Anti-Bot, or Threat Emulation Ask user message is shown.

      • Once a day

      • Once a week

      • Once a month

    • Redirect the user to a URL (only for block) -

      You can redirect the user to an external portal, not on the gateway. In the URL field, enter the URL for the external portal. The specified URL can be an external system. It gets authentications credentials from the user, such as a user name or password. It sends this information to the gateway.

  4. Click the Customize tab to customize a logo for all portals shown by the appliance (HotspotClosed An area that offers a wireless local area network with Internet access, through a router connected to a link to an Internet service provider. and captive portal used by User AwarenessClosed A Check Point software blade designed to associate users to IP addresses for logging and control purposes.). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default.

  5. Click Apply