SandBlast Agent for Browsers can be configured on the extension's options page. To open it, click on the Check Point icon in the browsers and press the options icon at the top right corner.

Here is an overview on the options page:

1. Enable/Disable SandBlast Protection for Web Downloads.
   
   
2. Configure policy for each collection of file types:
   
   There are three collections:
   
   
   • Supported files (TE + TEX) - both Threat Emulation and Threat Extraction are supported.
     
     
   • Partially Supported Files (TE Only) - only Threat Emulation is supported
     
     
   • Unsupported Files - files can be either allowed or blocked.

   Configuration options:

   • Extraction Settings - there are 3 ways to set this option:
     
     
     1. Use admin defied profile - The extraction settings are according to server's Threat Extraction profile.
        Note: Threat Extraction must be enabled in the Threat Prevention profile and in the Threat Prevention policy. Only "Extraction method" and "File types" settings are taken from admin profile.
        
        
     2. Extract potentially malicious elements - In this option the file will keep its type, and potentially malicious elements will be removed.
        
        
     3. Convert to PDF - File will be converted to PDF.
     
     
     
   • Emulation Setting - there are 2 ways to set this option:
     
     
     1. In the background - The file will be download to the user and emulated in the background.
        
        
     2. Hold until scan completes - The file will not be downloaded until it is emulated.
        
        
   • General Settings - there are 2 ways to set this option:
     
     
     1. Allow the files of the collection.
        
        
     2. Block the files of the collection.
     
     
     
   • Use the Advanced settings in order to configure 
     • Policy for specific file types 
     • Control the extracted elements when using "Extract potentially malicious elements".
     • More advance settings
   
   
   
3. Enable/Disable Zero Phishing Protection.
   Use the Advanced settings in order to configure Phishing Prevention settings and Password Reuse settings.
   • Phishing Prevention
     
     • Phishing Protection defines the action taken upon phishing detection.
     • Send log on each scanned site - The extension will send log for each scanned sites (Benign + Malicious)
     • Allow user to dismiss the phishing alert and continue to access the site - The user will be able to bypass the phishing warning and continue to fill the site's form.
     • Allow user to abort phishing scans - User will be able to stop the ongoing site scan
   • Password Reuse
     • Password Reuse Protection defines the action taken upon phishing detection.
     • Protected domains - Passwords used in these domains will be learned, and will be compared to passwords entered outside of the "protected domains"
4. Connected server describes the server that preforms Threat Emulation and Threat Extraction, there are 3 options:
   1. Gateway or SandBlast Appliance. 
      • Mandatory instructions are described at sk113599.
   2. Cloud Only. 
      • Note that cloud API key is mandatory
   3. Gateway with fallback to the Cloud
      • SandBlast Agent for Browsers will try to connect to the specified gateway, if there is no connectivity to the gateway it'll try to connect Threat Cloud.
5. Excluded Domains - Downloads/Phishing scans from these domains will be excluded from SandBlast policy.
   
   
6. You can use Export Configuration in order to export the saved options.

When working with SBA, Chrome extension is enabled by default, while IE can be controlled through GuiDBedit Tool as follows:
until version 80.70 (including), the IE is disabled b default, and can be enabled by the following procedure:

1. Close all SmartConsole windows and open the GuiDBedit Tool.
   
   
2. Go to ep_orgp_te_policy_tbl
   
   
3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: ie_extension_disabled=false
   
   
4. Save the changes: go to 'File' menu - click on 'Save All'.
   
   
5. Open SmartEndpoint Console.
   
   
6. Make a small change in a SandBlast Agent Threat Emulation rule, which will cause it to change policy version number and load changes from GuiDBedit Tool.
   
   
7. Install policy in SmartEndpoint.
   
   
8. Update policy on Endpoint
   
   

From version 80.71, the IE extension is enabled by default, and can be disabled by following the below procedure:

1. Close all SmartConsole windows and open the GuiDBedit Tool.
   
   
2. Go to ep_orgp_te_policy_tbl
   
   
3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: ie_extension_disabled=true
   
   
4. Continue with the steps 4 - 8 from the above instructions.

 

Starting from version 80.81, the Firefox extension is supported in EA quality for Firefox browsers version 57 and up.
The Firefox extension is disabled by default, and can be enabled by the following procedure:

1. Close all SmartConsole windows and open GuiDBedit Tool.
   
   
2. Go to ep_orgp_te_policy_tbl
   
   
3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value:
   firefox_extension_disabled=false
   
   
4. Continue with the steps 4 - 8 from the above instructions. 
   
   

Note: Multiple value can be configured with semicolon (;) symbol as delimiter.

When working with Firefox browser, export the policy as .json file (not .reg file), save it with name "manifest.json" and place it using GPO in the C:\Program Files (x86)\CheckPoint\SandBlast\. folder.

The changes will take effect after you restarting the Firefox.

It's recommended to use the SandBlast Agent for Browsers options to set the policy, and export the configuration into registry file in order to deploy it in the organization.

To configure the SandBlast Agent for Browsers using GPO, add the following registry path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\deakbjemijlmlcehdgejmdpekkceodmk\policy

Notes:

• The registry values control the SandBlast Agent for Browsers options. You can choose not to configure the SandBlast Agent for Browsers, in which case it will use the default values
• Controlling the SandBlast Agent for Chrome using GPO is possible only if the machine is member of AD domain.
• Policy changes in registry will apply within 10 minutes.

Below you can see the different configuration options and their values

General Settings:

Name	Variable	Description	Type and Values
Connected Server	use_te_cloud	Determines the type of server to work with	DWORD 0 - Gateway or SandBlast Appliance (specified in server) 1 - Check Point Threat Cloud 2 - Gateway with fallback to cloud
	te_cloud_api_key	Valid cloud API key, either product's CK or cloud evaluation key	STRING
	server	Defines the SandBlast Security Gateway which perform Threat Emulation, Threat Extraction and collect logs for Zero Phishing. This Security Gateway needs to be configured according to sk113599.	STRING IP address of Security Gateway
	api_key	It's recommended to harden the access to the gateway by defining shared secret between the extensions and the Security Gateway. api_key should be the same as the one defined on the Security Gateway under /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini	STRING
SandBlast Protection for Web Downloads	file_protection_enabled	Defines if SandBlast Protection for Web Downloads is active	DWORD 1 - On 0 - Off
Zero Phishing Protection	identity_protection_enabled	Defines if Zero Phishing Protection is active	DWORD 1 - On 0 - Off
Duration for overriding the GPO settings	override_user_settings_minutes	Defines the time (in minutes), during which the user can override the settings defined by the administrator using GPO	DWORD 0 - The user does not have permission to override GPO settings N - Time (in minutes), during which the user can override the GPO settings
Additional Settings	show_notifications	Determines if notifications should be shown.	DWORD 1 - Enabled (show notifications) 0 - Disabled (do not show notifications)
	logs_enabled	Send logs to the Security Gateway regarding SandBlast Protection for Web Downloads and Zero Phishing Protection. The option needs to be enabled on the Security Gateway as well, logs_api_enabled needs to be set to TRUE under /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini	DWORD 1 - Enabled (send logs) 0 - Disabled (do not send logs)
None (Only using GPO)	userid	Using GPO it is possible to push the username (if not set) - a randomly generated ID is sent (the field is shown in the Security Gateway logs)	STRING
	options_disabled	Blocks the user from editing the extension's options.	DWORD 1 - Active (blocks editing) 0 - Inactive (allows editing)
	manual_scan_disabled	Determines if the user can see "Scan File" in the options page	DWORD 1 - Disabled (User will not see "Scan File") 0 - Enabled (User will see "Scan File")

SandBlast Protection for Web Downloads settings:

Name	Variable	Description	Type and Values
SandBlast Protection for Web Downloads	file_protection_enabled	Defines if SandBlast Protection for Web Downloads is active	DWORD 1 - On 0 - Off
Excluded Domains	excluded_domains	SandBlast Protection for Web Downloads activities will not be performed on these trusted domains.	Array of strings (see the example under this table).
Action per file type		It is possible to create a different action (Emulate and Extract, Extract, Emulate, Allow, Block) and policy (Global profile, Extract potentially malicious elements, Convert to PDF, In the background, Hold till scan completes) for each file type. It is recommended to use the extension's options to set the policy, and then use Export Configuration when using this option.	DWORD The supported family types are: docs other unsupported The supported file types are: doc, docm, docx, dot, dotm, dotx, rtf, hwp fdf, pdf ppt, pptx, pps, ppsm, ppsx, pptm, pot, potm, potx, ppa, ppam, sldx, sldm csv, xls, xlsx, xlam, xla, xlsb, xlsm, xlm, xltm, xltx, xll, xlw zip, rar, tar, tgz, 7z, jar, cab exe scr pif swf
Allow by file type	allowed_file_types	It's possible to allow downloads of specific file extensions	Array of strings (see the example under this table).
Block by file type	blocked_file_types	It's possible to block downloads of specific file extensions	Array of strings (see the example under this table).
Extracted Elements	tex_parts_codes	If Threat Extraction is configured to "Extract potentially malicious elements", then you can choose what elements are extracted.	Array of integers 1034 - Links to network/local file paths 1026 - Microsoft Office macros and PDF JavaScript code 1019 - Files and objects embedded in documents 1025 - Linked Objects 1018 - Queries to remote databases 1139 - Launch external applications 1142 - Play sound objects 1143 - Play movie files 1141 - Open Uniform Resource Identifier (URI) resources 1150 - Execute JavaScript code 1151 - Submit data to remote locations 1137 - Open other PDF files 1017 - Custom document properties 1021 - Stored data for fast document saving 1036 - Statistic document properties 1037 - Summary document properties
Advanced options	original_file_option	Determines where original file will be saved in case it was cleaned by Threat Extraction	DWORD 0 - Original file is not saved 1 - Original file is saved on locally at the browser 2 - Original file is saved on at server (supported only at Security Gateway)
	fail_close	Block download in case of failure.	DWORD 1 - Enable (blocks download) 0 - Disable (allows download)
	block_encrypted	Block download of encrypted documents	DWORD 1 - Enable (blocks download) 0 - Disable (allows download)
None (Only using GPO)	max_file_size	Maximum file size to send to Security Gateway.	DWORD Size of file in bytes
	tex_profile_name	Name of Threat Extraction profile that will be used in case "Global profile" options is selected, if "Recommended_Profile" is not used.	STRING Name of Threat Extraction profile
	te_rule_id	Number of rule in Threat Prevention policy that contains the profile that will be used by Threat Emulation.	DWORD Rule number (by default rule 1 is being used)

Zero Phishing Protection settings:

Name	Variable	Description	Type and Values
Zero Phishing Protection	identity_protection_enabled	Defines if Zero Phishing Protection is active	DWORD 1 - On 0 - Off
Phishing Protection	phishing_detection_mode	Defines Phishing protection mode	DWORD 0 - Off 1 - Log only 2 - Prevent access and log 3- Prevent access only
Send log on each scanned site	theft_logs_mode	Option to control if logs are sent on each phishing scan, or only log phishing scans	DWORD 1 - Send log on each scan (Benign or Malicious)  0 - Send logs only on Malicious sites
Allow user to dismiss the phishing alert and continue to access the site	permit_continue_anyway	Defines if the user can continue entering information at the form after it was tagged as phishing	DWORD 1 - Allow user to override 0 - Prevent user from override
Allow user to abort phishing scan	permit_cancel_scan	Defines if the user can cancel the phishing scan before it's completed	DWORD 1 - Allow user to cancel 0 - Prevent user from cancel
Password Reuse Protection	password_reuse_mode	Defines password reuse protection mode	DWORD 0 - Off  1 - Log only  2 - Alert user and log  3- Alert user only
Protected Domains	protected_domains	Passwords used in these domains will be learned, and will be compared to passwords entered outside of the "protected domains"	Array of strings (see the example under this table).

Example of a *.reg script: (Threat Emulation and Threat Extraction)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\deakbjemijlmlcehdgejmdpekkceodmk\policy]
"excluded_domains"="[ \"onesite.com\", \"secondsite.org\" ]"
"pdf"=dword:2c
"fdf"=dword:22c
"7z"=dword:28
"allowed_file_types"="[ \"txt\", \"log\" ]"
"blocked_file_types"="[ \"bat\", \"reg\" ]"
"fail_close"=dword:00000001
"server"="security.gateway.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist]
"1"="deakbjemijlmlcehdgejmdpekkceodmk;https://clients2.google.com/service/update2/crx"

In this example Chrome is forced to install the SandBlast Agent for Browers with the following options:

• No action will be taken for files downloaded from onesite.com or secondsite.org (excluded_domains=...)
• "Emulate and Extract" action and "convert to PDF" for FDF files (fdf=22c).
• "Emulate and Extract" action "according to global profile" for PDF files (pdf=2c).
• "Emulate" action and "Hold till scan completes" for 7z files (7z=28).
• Emulate and Extract action for all other files according to the default settings.
• txt and log files are allowed
• bat and reg files are blocked
• Download is blocked in case of failure (fail_close=1).
• SandBlast inspection is performed by security.gateway.com (server=security.gateway.com).

Example of a *.reg script: (Zero Phishing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\deakbjemijlmlcehdgejmdpekkceodmk\policy]
"protected_domains"="[ \"onesite.com\", \"secondsite.org\"]"
"identity_protection_enabled"=dword:1
"phishing_detection_mode"=dword:2
"password_reuse_mode"=dword:2
"permit_continue_anyway"=dword:1
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist]
"1"="deakbjemijlmlcehdgejmdpekkceodmk;https://clients2.google.com/service/update2/crx"

In this example Chrome is forced to install the SandBlast Agent for Browers with the following options:

• Password will be learned from onesite.com or secondsite.org (protected_domains=...)
• Zero Phishing enabled (identity_protection_enabled=1).
• Phishing detection in Zero Phishing is "Prevent Access and Log" (phishing_detection_mode=2).
• Passwords reuse is "Alert User and Log" (password_reuse_mode=2).
• User is allowed to dismiss the phishing alert and continue to access the site (permit_continue_anyway=1).

With SmartEndpoint, use the bellow recommended configuration for the files handling:

When working with SBA4B standalone, use the below recommended configuration: