To challenge today's malware landscape, Check Point's comprehensive Threat Prevention solution offers a multi-layered, pre and post-infection defense approach and a consolidated platform that enables enterprise security to deal with modern malware:
Stops unknown malware, targeted attacks, and zero-day attacks.
Works by:
Identifying files in email attachments (SMTP & SMTP/TLS) and downloads over the web (HTTP & HTTPS)
Uploading the suspicious files to a virtual sandbox (in the cloud, or on a local appliance) for further emulation and analysis.
Emulating the suspicious files in various OS environments by opening the files and monitoring abnormal behavior (related to file system, system registry, network connections, system processes, etc.)
Stopping the malicious files, and preventing them from getting to the end user.
Sharing (in real-time) the data about the detected malicious files with ThreatCloud.
Each Threat Prevention Software Blade gives unique network protections and they can be combined to supply a strong malware solution.
Data from malicious attacks are shared between the Threat Prevention Software Blades and help keep your network safe. For example, the signature from a threat that is identified by Threat Emulation is added to the Anti-Virus database.
The Threat Prevention Software Blades use a separate policy installation to minimize risk and operational impact. They are also integrated with other Software Blades on the Security Gateway to detect and stop threats.
Introduction to the Threat Extraction Solution
Threat Extraction is a new Software Blade in the Threat Prevention family that pro-actively cleans potential threats from incoming documents.
SandBlast Threat Extraction prevents both known and unknown threats before they arrive at the organization, thus providing better protection against zero-day threats. Threat Extraction gives organizations the necessary protection against unknown threats in files that are downloaded from the Internet, or attached to emails.
Supported Configuration and Requirements
In R77.30 release: Requires the R77.30 Add-on to be installed and enabled on the Security Management Server / Multi-Domain Security Management Server.
Scanning attachments from incoming emails requires MTA configuration
In order to change the default value of the signature, for example:
Connect to the Security Management Server with SmartDashboard/SmartConsule. Go to 'Threat prevention > Advanced > Engine settings > Threat Extraction settings > Configure mail signatures'.
This is mail-client dependent. The mail that the user sees is plain text. That is the reason the link isn't seen as clickable. The mail being either html or plain text is determined by the sender's mail-client (or by the recipient client if he chooses all incoming mails to be seen as plain text), and TEX adds the disclaimer to both sections if they exist. This cannot be resolved from the gateway side. It can only be resolved by changing the sender's mail client definitions.
On any email handled by Threat Extraction, the gateway adds a disclaimer for each attachment, describing how the attachment was handled (for example: "foo.doc: file(s) were stripped"). To change the default text of these disclaimers, in the gateway go to $FWDIR/conf and open the scrub_debug.conf file. Edit the value of the disclaimer you wish to change. Save and install policy.
Change the value of scrub_convertdoc_graphic_output_dpi from 300 to a lower value (200 for example) - it will create smaller pictures in the converted file leading to smaller files.
This parameter is in $FWDIR/conf/file_convert.conf. Need to install policy after the change, and to kill scrub_cp_file_convertd
Note that a too-low value (25 for example) may lead to corruption of QR/barcode in documents - so keeping a value as high as the customer can tolerate is preferred.
The max file size supported is 100M. Please note it is not only a function of file size, but also a process time (which make be high for complex files). Check Point limits the conversion operation to 30 seconds. When using convert to PDF, the converted file size can be even larger (which may be a limitation on the next-hop mail server). In addition keeping original files depends on disk space. When you increase the supported file size, consider reducing the number of days to keep the original files.
The max file size supported for WEB API and Sandblast for browsers is 15MB. It cannot be changed.
For timeout bigger or equal to 2 minutes, change in GUIDBedit all values of cpfc_async_timeout_in_seconds to the desired value (in sec). Maximum is 3600 sec = 1 hour
In $FWDIR/conf/file_convert.conf : change the value of thread_inactivity_timeout to the desired value [seconds]. Default value is 30.
Install Policy
Run in ssh on gateway: kill -9 `pidof scrub_cp_file_convertd`
Note: Increasing the timeout value may increase the used resources and may expose the gateway to Dos Attacks.
Enable debug on in.emaild.mta and replicate the problem. Open $FWDIR/log/in.emaild.mta.elg and search for: "cp_md5_file_sig_create: Failed to open file '/tmp/scrub/<event id>' ". If found, in the gateway go to /tmp/scrub/. If the folder contains more than 4000 or so email files, the Threat Extraction process may have failed due to lack of temporary storage. Delete or move to external storage any files no longer needed.
First, make sure the instructions in the sk were followed. In the gateway, open, (NOT in vi) the file $FWDIR/conf/scrub_fixed_file_types and remove any extra linebreaks or lines not in the correct format. Save and install policy. In the gateway, open, (NOT in vi) the file /var/log/$FWDIR/conf/scrub_supported_file_types and remove any extra linebreaks or lines not in the correct format. Save, install policy and in the gateway run kill -9 'pidof scrub_cp_file_convertd' .
NOTE: Opening any file in vi will automatically add a new line break at the end of the file. Use notepad++ or similar instead.
