Support Center > Search Results > SecureKnowledge Details
Check Point SandBlast Agent for Browsers
Solution

Table of Contents

  • Abstract
  • System Prerequisites
  • Installing SandBlast Agent for Chrome Browser
  • Deploying SandBlast Agent for Chrome Browser
  • Installing SandBlast Agent for other Browsers
  • Deploying SandBlast Agent for other Browsers
  • Configuring the SandBlast Agent for Browsers
  • Controlling the SandBlast Agent for Browsers
  • Controlling the SandBlast Agent for Browsers with GPO
  • Known Limitations
Click Here to Show the Entire Article

Abstract

SandBlast Agent (SBA) for Browsers is General Availability.

Use the SandBlast Agent for Browsers:

  1. To prevent download of malicious files:
    1. Threat Emulation - Detect malicious behavior by running files within secure virtual environment.
    2. Threat Extraction - Obtain immediate and safe access to documents by removing potentially malicious elements or converting the downloaded file to PDF.
    3. User can download the original file once Threat Emulation completes.

  2. Phishing protection, Zero Phishing is an innovative Anti-Phishing product, protecting corporate users and administrators from:
    1. Zero day phishing sites
    2. Password / identity theft

SandBlast Agent for Browsers can perform SandBlast Threat Emulation and SandBlast Threat Extraction on:

  • Check Point Threat Cloud
  • Security Gateway or TE Appliance running R77.30 with Jumbo Hotfix. Instructions are available at sk113599.

System Prerequisites

The following must be installed on the target machines before the deployment of the SandBlast Agent for Browsers MSI:

  1. Microsoft Visual C++ 2010 Redistribution x86
  2. .NET Framework 4.x
  3. Internet Explorer 11

Installing SandBlast Agent for Chrome Browser

  1. In your Google Chrome browser, download the Check Point SandBlast Zero-Day Protection Web Extension from the Chrome Web Store.
  2. Click on the Check Point icon in Google Chrome and click on the Options icon.
  3. In the Connected Server section, add the FQDN of Security Gateway or choose to work with cloud (valid cloud API key is mandatory).
  4. To test a file, use the "Scan file" tab, then choose a file and click "Scan". The file will be sent to the Security Gateway for scanning, according to the extension's settings.

 

Deploying SandBlast Agent for Chrome Browser

Note: Installing SandBlast Agent for Chrome using GPO is possible only if the machine is a member of AD domain. If the computer is not domain member, Chrome will not handle the registry keys being sent through GPO, thus will not work as long as the machine is not part of a domian.

To force the users to install the Chrome Extension, create the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist/1

The Data would be of type REG_SZ, with the following value: 

"bnbpncoilnpdbcbfcegbjocobjppndlh;https://clients2.google.com/service/update2/crx"


Installing SandBlast Agent for other Browsers

The installer of SandBlast Agent for Browsers will install the agent for the following browsers: Chrome, IE11 and Firefox.

  1. Download Check Point SandBlast Agent Browser Extention from Download Center.
  2. Run the installer on the target machine using admin credentials.
  3. Follow the on-screen instructions.

Installation Notes:

  • Installation is done per machine
  • Open Internet Explorer windows must be closed (the user will be prompted when running the installer in interactive mode)
  • The installer of SandBlast Agent for Browsers should not be installed on top of endpoint which has SBA installed.

Deploying SandBlast Agent for other Browsers

The installer of SandBlast Agent for Browsers can be deployed using GPO and other common deployment tools (such as SCCM).

For quiet installation, the installer should run with the “/qn” argument.

Example: Check_Point_SandBlast_Browser_Ext_v1_sk108695.msi /qn


Configuring the SandBlast Agent for Browsers

Show / Hide this Section

SandBlast Agent for Browsers can be configured on the extension's options page. To open it, click on the Check Point icon in the browsers and press the options icon at the top right corner.

Here is an overview on the options page:

  1. Enable/Disable SandBlast Protection for Web Downloads.

  2. Configure policy for each collection of file types:

    There are three collections:

    • Supported files (TE + TEX) - both Threat Emulation and Threat Extraction are supported.

    • Partially Supported Files (TE Only) - only Threat Emulation is supported

    • Unsupported Files - files can be either allowed or blocked.

    Configuration options:

    • Extraction Settings - there are 3 ways to set this option:

      1. Use admin defied profile - The extraction settings are according to server's Threat Extraction profile.
        Note: Threat Extraction must be enabled in the Threat Prevention profile and in the Threat Prevention policy. Only "Extraction method" and "File types" settings are taken from admin profile.

      2. Extract potentially malicious elements - In this option the file will keep its type, and potentially malicious elements will be removed.

      3. Convert to PDF - File will be converted to PDF.


    • Emulation Setting - there are 2 ways to set this option:

      1. In the background - The file will be download to the user and emulated in the background.

      2. Hold until scan completes - The file will not be downloaded until it is emulated.

    • General Settings - there are 2 ways to set this option:

      1. Allow the files of the collection.

      2. Block the files of the collection.


    • Use the Advanced settings in order to configure 
      • Policy for specific file types 
      • Control the extracted elements when using "Extract potentially malicious elements".
      • More advance settings


  3. Enable/Disable Zero Phishing Protection.
    Use the Advanced settings in order to configure Phishing Prevention settings and Password Reuse settings.
    • Phishing Prevention
      • Phishing Protection defines the action taken upon phishing detection.
      • Send log on each scanned site - The extension will send log for each scanned sites (Benign + Malicious)
      • Allow user to dismiss the phishing alert and continue to access the site - The user will be able to bypass the phishing warning and continue to fill the site's form.
      • Allow user to abort phishing scans - User will be able to stop the ongoing site scan
    • Password Reuse
      • Password Reuse Protection defines the action taken upon phishing detection.
      • Protected domains - Passwords used in these domains will be learned, and will be compared to passwords entered outside of the "protected domains"
  4. Connected server describes the server that preforms Threat Emulation and Threat Extraction, there are 3 options:
    1. Gateway or SandBlast Appliance. 
      • Mandatory instructions are described at sk113599.
    2. Cloud Only. 
      • Note that cloud API key is mandatory
    3. Gateway with fallback to the Cloud
      • SandBlast Agent for Browsers will try to connect to the specified gateway, if there is no connectivity to the gateway it'll try to connect Threat Cloud.
  5. Excluded Domains - Downloads/Phishing scans from these domains will be excluded from SandBlast policy.

  6. You can use Export Configuration in order to export the saved options.

 

Controlling the SandBlast Agent for Browsers

Show / Hide this Section

When working with SBA, Chrome extension is enabled by default, while IE can be controlled through GuiDBedit Tool as follows:
until version 80.70 (including), the IE is disabled b default, and can be enabled by the following procedure:

  1. Close all SmartConsole windows and open the GuiDBedit Tool.

  2. Go to ep_orgp_te_policy_tbl

  3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: ie_extension_disabled=false

  4. Save the changes: go to 'File' menu - click on 'Save All'.

  5. Open SmartEndpoint Console.

  6. Make a small change in a SandBlast Agent Threat Emulation rule, which will cause it to change policy version number and load changes from GuiDBedit Tool.

  7. Install policy in SmartEndpoint.

  8. Update policy on Endpoint

From version 80.71, the IE extension is enabled by default, and can be disabled by following the below procedure:

  1. Close all SmartConsole windows and open the GuiDBedit Tool.

  2. Go to ep_orgp_te_policy_tbl

  3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: ie_extension_disabled=true

  4. Continue with the steps 4 - 8 from the above instructions.

 

Starting from version 80.81, the Firefox extension is supported in EA quality for Firefox browsers version 57 and up.
The Firefox extension is disabled by default, and can be enabled by the following procedure:
  1. Close all SmartConsole windows and open GuiDBedit Tool.

  2. Go to ep_orgp_te_policy_tbl

  3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value:
    firefox_extension_disabled=false

  4. Continue with the steps 4 - 8 from the above instructions. 

 

Controlling the SandBlast Agent for Browsers with GPO

Show / Hide this Section

It's recommended to use the SandBlast Agent for Browsers options to set the policy, and export the configuration into registry file in order to deploy it in the organization.

To configure the SandBlast Agent for Browsers using GPO, add the following registry path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bnbpncoilnpdbcbfcegbjocobjppndlh\policy

Notes:

  • The registry values control the SandBlast Agent for Browsers options. You can choose not to configure the SandBlast Agent for Browsers, in which case it will use the default values
  • Controlling the SandBlast Agent for Chrome using GPO is possible only if the machine is member of AD domain.
  • Policy changes in registry will apply within 10 minutes.

Below you can see the different configuration options and their values

General Settings:

Name Variable Description Type and Values
Connected Server   use_te_cloud

Determines the type of server to work with

DWORD

  • 0 - Gateway or SandBlast Appliance (specified in server)
  • 1 - Check Point Threat Cloud
  • 2 - Gateway with fallback to cloud
te_cloud_api_key Valid cloud API key, either product's CK or cloud evaluation key
 STRING
server Defines the SandBlast Security Gateway which perform Threat Emulation, Threat Extraction and collect logs for Zero Phishing.

This Security Gateway needs to be configured according to sk113599.

STRING

  • IP address of Security Gateway
api_key It's recommended to harden the access to the gateway by defining shared secret between the extensions and the Security Gateway. api_key should be the same as the one defined on the Security Gateway under /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini STRING
SandBlast Protection for Web Downloads
 file_protection_enabled Defines if SandBlast Protection for Web Downloads is active
 DWORD
  • 1 - On
  • 0 - Off
Zero Phishing Protection identity_protection_enabled Defines if Zero Phishing Protection is active

DWORD

  • 1 - On
  • 0 - Off
Duration for overriding the GPO settings override_user_settings_minutes

Defines the time (in minutes), during which the user can override the settings defined by the administrator using GPO

 DWORD
  • 0 - The user does not have permission to override GPO settings
  • N - Time (in minutes), during which the user can override the GPO settings
Additional Settings  show_notifications Determines if notifications should be shown.
 DWORD
  • 1 - Enabled (show notifications)
  • 0 - Disabled (do not show notifications)
logs_enabled Send logs to the Security Gateway regarding SandBlast Protection for Web Downloads and Zero Phishing Protection. The option needs to be enabled on the Security Gateway as well, logs_api_enabled needs to be set to TRUE under /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini  DWORD
  • 1 - Enabled (send logs)
  • 0 - Disabled (do not send logs)
None (Only using GPO)   userid  Using GPO it is possible to push the username (if not set) - a randomly generated ID is sent (the field is shown in the Security Gateway logs)  STRING
options_disabled  Blocks the user from editing the extension's options.

 DWORD

  • 1 - Active (blocks editing)
  • 0 - Inactive (allows editing)
manual_scan_disabled Determines if the user can see "Scan File" in the options page  DWORD
  • 1 - Disabled (User will not see "Scan File")
  • 0 - Enabled (User will see "Scan File")

SandBlast Protection for Web Downloads settings:

Name Variable Description Type and Values
SandBlast Protection for Web Downloads
 file_protection_enabled Defines if SandBlast Protection for Web Downloads is active
 DWORD
  • 1 - On
  • 0 - Off
Excluded Domains excluded_domains SandBlast Protection for Web Downloads activities will not be performed on these trusted domains. Array of strings (see the example under this table).
Action per file type  

It is possible to create a different
action (Emulate and Extract, Extract, Emulate, Allow, Block)
and
policy (Global profile, Extract potentially malicious elements, Convert to PDF, In the background, Hold till scan completes)
for each file type.

It is recommended to use the extension's options to set the policy, and then use Export Configuration when using this option.

 DWORD
  • The supported family types are:
    • docs
    • other
    • unsupported
  • The supported file types are:
    • doc, docm, docx, dot, dotm, dotx, rtf, hwp
    • fdf, pdf
    • ppt, pptx, pps, ppsm, ppsx, pptm, pot, potm, potx, ppa, ppam, sldx, sldm
    • csv, xls, xlsx, xlam, xla, xlsb, xlsm, xlm, xltm, xltx, xll, xlw
    • zip, rar, tar, tgz, 7z, jar, cab
    • exe
    • scr
    • pif
    • swf
Allow by file type allowed_file_types It's possible to allow downloads of specific file extensions Array of strings (see the example under this table).
Block by file type blocked_file_types   It's possible to block downloads of specific file extensions Array of strings (see the example under this table).
Extracted Elements tex_parts_codes

If Threat Extraction is configured to "Extract potentially malicious elements", then you can choose what elements are extracted.

 Array of integers
  • 1034 - Links to network/local file paths
  • 1026 - Microsoft Office macros and PDF JavaScript code
  • 1019 - Files and objects embedded in documents
  • 1025 - Linked Objects
  • 1018 - Queries to remote databases
  • 1139 - Launch external applications
  • 1142 - Play sound objects
  • 1143 - Play movie files
  • 1141 - Open Uniform Resource Identifier (URI) resources
  • 1150 - Execute JavaScript code
  • 1151 - Submit data to remote locations
  • 1137 - Open other PDF files
  • 1017 - Custom document properties
  • 1021 - Stored data for fast document saving
  • 1036 - Statistic document properties
  • 1037 - Summary document properties
Advanced options   original_file_option Determines where original file will be saved in case it was cleaned by Threat Extraction DWORD
  • 0 - Original file is not saved
  • 1 - Original file is saved on locally at the browser
  • 2 - Original file is saved on at server (supported only at Security Gateway)
fail_close Block download in case of failure. DWORD
  • 1 - Enable (blocks download)
  • 0 - Disable (allows download)
block_encrypted Block download of encrypted documents DWORD
  • 1 - Enable (blocks download)
  • 0 - Disable (allows download)
None (Only using GPO)   max_file_size Maximum file size to send to Security Gateway. DWORD
  • Size of file in bytes
tex_profile_name Name of Threat Extraction profile that will be used in case "Global profile" options is selected, if "Recommended_Profile" is not used. STRING
  • Name of Threat Extraction profile
te_rule_id Number of rule in Threat Prevention policy that contains the profile that will be used by Threat Emulation.
 DWORD
  • Rule number (by default rule 1 is being used)

Zero Phishing Protection settings:

Name Variable Description Type and Values
Zero Phishing Protection identity_protection_enabled Defines if Zero Phishing Protection is active

DWORD

  • 1 - On
  • 0 - Off
Phishing Protection phishing_detection_mode Defines Phishing protection mode

 DWORD

  • 0 - Off
  • 1 - Log only
  • 2 - Prevent access and log
  • 3- Prevent access only
Send log on each scanned site  theft_logs_mode Option to control if logs are sent on each phishing scan, or only log phishing scans

 DWORD

  • 1 - Send log on each scan (Benign or Malicious) 
  • 0 - Send logs only on Malicious sites
Allow user to dismiss the phishing alert and continue to access the site permit_continue_anyway Defines if the user can continue entering information at the form after it was tagged as phishing  DWORD
  • 1 - Allow user to override
  • 0 - Prevent user from override
Allow user to abort phishing scan permit_cancel_scan Defines if the user can cancel the phishing scan before it's completed DWORD
  • 1 - Allow user to cancel
  • 0 - Prevent user from cancel
Password Reuse Protection password_reuse_mode  Defines password reuse protection mode

 DWORD

  • 0 - Off 
  • 1 - Log only 
  • 2 - Alert user and log 
  • 3- Alert user only
Protected Domains protected_domains

Passwords used in these domains will be learned, and will be compared to passwords entered outside of the "protected domains"

 Array of strings (see the example under this table).

Example of a *.reg script: (Threat Emulation and Threat Extraction)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bnbpncoilnpdbcbfcegbjocobjppndlh\policy]
"excluded_domains"="[ \"onesite.com\", \"secondsite.org\" ]"
"pdf"=dword:2c
"fdf"=dword:22c
"7z"=dword:28
"allowed_file_types"="[ \"txt\", \"log\" ]"
"blocked_file_types"="[ \"bat\", \"reg\" ]"
"fail_close"=dword:00000001
"server"="security.gateway.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist]
"1"="bnbpncoilnpdbcbfcegbjocobjppndlh;https://clients2.google.com/service/update2/crx"

In this example Chrome is forced to install the SandBlast Agent for Browers with the following options:

  • No action will be taken for files downloaded from onesite.com or secondsite.org (excluded_domains=...)
  • "Emulate and Extract" action and "convert to PDF" for FDF files (fdf=22c).
  • "Emulate and Extract" action "according to global profile" for PDF files (pdf=2c).
  • "Emulate" action and "Hold till scan completes" for 7z files (7z=28).
  • Emulate and Extract action for all other files according to the default settings.
  • txt and log files are allowed
  • bat and reg files are blocked
  • Download is blocked in case of failure (fail_close=1).
  • SandBlast inspection is performed by security.gateway.com (server=security.gateway.com).

Example of a *.reg script: (Zero Phishing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bnbpncoilnpdbcbfcegbjocobjppndlh\policy]
"protected_domains"="[ \"onesite.com\", \"secondsite.org\"]"
"identity_protection_enabled"=dword:1
"phishing_detection_mode"=dword:2
"password_reuse_mode"=dword:2
"permit_continue_anyway"=dword:1
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist]
"1"="bnbpncoilnpdbcbfcegbjocobjppndlh;https://clients2.google.com/service/update2/crx"
In this example Chrome is forced to install the SandBlast Agent for Browers with the following options:
  • Password will be learned from onesite.com or secondsite.org (protected_domains=...)
  • Zero Phishing enabled (identity_protection_enabled=1).
  • Phishing detection in Zero Phishing is "Prevent Access and Log" (phishing_detection_mode=2).
  • Passwords reuse is "Alert User and Log" (password_reuse_mode=2).
  • User is allowed to dismiss the phishing alert and continue to access the site (permit_continue_anyway=1).

     

    Known Limitations

    ID Description
    - MSI Installation will fail if Internet Explorer (IE) 11 is not installed on the target machine
    - Excluded Domains configuration will not work for blob downloads in Internet Explorer (IE)
    - Internet Explorer (IE) compatibility mode is not supported
    - High security level for Internet zone in IE is not supported
    - Inspection in Incognito mode in Chrome can only be enabled by the user
    - Inspection of file URLs in Chrome can only be enabled by the user
    - Firefox add-on installation must be approved by the user 
    - Firefox add-on can be disabled by the user
    - Firefox addon is not updated on MSI update
    - Downloads from one-time links are not inspected 
    - Downloaded files in Firefox are saved in a temp folder instead of the downloads folder
    - Enhanced Protected Mode is not supported on Internet Explorer (IE)
    - Up to version 990.16.438 (SBA E80.71): Documents, supposed to be displayed in a Web Application, are downloaded instead of being opened in the browser
    From version 990.45.001 (SBA E80.72): For non-excluded domains, documents supposed to be displayed in a Web Application, are downloaded instead of being opened in the browser
    - Changes to the SBA4B policy which are done through smart end point will take effect up to 10 minutes after the policy is update on the end point. 
    - Up to version 990.47.004 (SBA E80.80): The SandBlast Agent extension support Firefox browser version up to 55 (no support for version 56 and up).
    Firefox ESR versions supported up to version 52.3
    It is recommended to disable Firefox automatic updates for customers who use the extension on Firefox.
    From version 990.49.008 (SBA E80.81): The SandBlast Agent extension supports Firefox version 57 and up only, (Firefox browser version 56.0 is not supported).
    AHTP-5651 For Firefox Quantum browser extension: Opening a file by clicking on the notification of a finished download, will only work for file types having built-in preview in the browser, or those file types explicitly selected to be opened after download in the browser 'Applications' settings. 
    AHTP-5854 Firefox Quantum browser must be restarted to apply browser extension deployment, browser extension version upgrade, and policy deployment firefox quantum browser must be restarted twice to apply browser extension removal. 
    AHTP-5845 In the Firefox Quantum browser, downloads that are initiated by a user and are intercepted by the SandBlast Agent for Browsers Extension are listed as "Failed" in the downloads history.
    AHTP-6031 Domains added to the excluded Domains list are excluded from TE/TEX inspection and Zero-Phishing scanning. 

     


    Related solutions:

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment