To challenge today's malware landscape, Check Point's comprehensive Threat Prevention solution offers a multi-layered, pre and post-infection defense approach and a consolidated platform that enables enterprise security to deal with modern malware:
Each Threat Prevention Software Blade gives unique network protections and they can be combined to supply a strong malware solution.
Data from malicious attacks are shared between the Threat Prevention Software Blades and help keep your network safe. For example, the signature from a threat that is identified by Threat Emulation is added to the Anti-Virus database.
The Threat Prevention Software Blades use a separate policy installation to minimize risk and operational impact. They are also integrated with other Software Blades on the Security Gateway to detect and stop threats.
Introduction to the Threat Extraction Solution
Threat Extraction is a new Software Blade in the Threat Prevention family that pro-actively cleans potential threats from incoming documents.
SandBlast Threat Extraction prevents both known and unknown threats before they arrive at the organization, thus providing better protection against zero-day threats. Threat Extraction gives organizations the necessary protection against unknown threats in files that are downloaded from the Internet, or attached to emails.
Supported Configuration and Requirements
In R77.30 release: Requires the R77.30 Add-on to be installed and enabled on the Security Management Server / Multi-Domain Security Management Server.
Scanning attachments from incoming emails requires MTA configuration
This is mail-client dependent. The mail that the user sees is plain text. That is the reason the link isn't seen as clickable. The mail being either html or plain text is determined by the sender's mail-client (or by the recipient client if he chooses all incoming mails to be seen as plain text), and TEX adds the disclaimer to both sections if they exist. This cannot be resolved from the gateway side. It can only be resolved by changing the sender's mail client definitions.
On any email handled by Threat Extraction, the gateway adds a disclaimer for each attachment, describing how the attachment was handled (for example: "foo.doc: file(s) were stripped"). To change the default text of these disclaimers, in the gateway go to $FWDIR/conf and open the scrub_debug.conf file. Edit the value of the disclaimer you wish to change. Save and install policy.
The max file size supported is 100M. Please note it is not only a function of file size, but also a process time (which make be high for complex files). Check Point limits the conversion operation to 30 seconds. When using convert to PDF, the converted file size can be even larger (which may be a limitation on the next-hop mail server). In addition keeping original files depends on disk space. When you increase the supported file size, consider reducing the number of days to keep the original files.
The max file size supported for WEB API and Sandblast for browsers is 15MB. It cannot be changed.
Enable debug on in.emaild.mta and replicate the problem. Open $FWDIR/log/in.emaild.mta.elg and search for: "cp_md5_file_sig_create: Failed to open file '/tmp/scrub/<event id>' ". If found, in the gateway go to /tmp/scrub/. If the folder contains more than 4000 or so email files, the Threat Extraction process may have failed due to lack of temporary storage. Delete or move to external storage any files no longer needed.
First, make sure the instructions in the sk were followed. In the gateway, open, (NOT in vi) the file $FWDIR/conf/scrub_fixed_file_types and remove any extra linebreaks or lines not in the correct format. Save and install policy. In the gateway, open, (NOT in vi) the file /var/log/$FWDIR/conf/scrub_supported_file_types and remove any extra linebreaks or lines not in the correct format. Save, install policy and in the gateway run kill -9 'pidof scrub_cp_file_convertd' .
NOTE: Opening any file in vi will automatically add a new line break at the end of the file. Use notepad++ or similar instead.