SandBlast Agent for Browsers can be configured on the extension's options page. To open it, click on the Check Point icon in the browsers and press the options icon at the top right corner.
Here is an overview on the options page:
Enable/Disable SandBlast Protection for Web Downloads.
Configure policy for each collection of file types:
There are three collections:
Supported files (TE + TEX) - both Threat Emulation and Threat Extraction are supported.
Partially Supported Files (TE Only) - only Threat Emulation is supported
Unsupported Files - files can be either allowed or blocked.
Configuration options:
Extraction Settings - there are 3 ways to set this option:
Use admin defied profile - The extraction settings are according to server's Threat Extraction profile. Note: Threat Extraction must be enabled in the Threat Prevention profile and in the Threat Prevention policy. Only "Extraction method" and "File types" settings are taken from admin profile.
Extract potentially malicious elements - In this option the file will keep its type, and potentially malicious elements will be removed.
Convert to PDF - File will be converted to PDF.
Emulation Setting - there are 2 ways to set this option:
In the background - The file will be download to the user and emulated in the background.
Hold until scan completes - The file will not be downloaded until it is emulated.
General Settings - there are 2 ways to set this option:
Allow the files of the collection.
Block the files of the collection.
Use the Advanced settings in order to configure
Policy for specific file types
Control the extracted elements when using "Extract potentially malicious elements".
More advance settings
Enable/Disable Zero Phishing Protection. Use the Advanced settings in order to configure Phishing Prevention settings and Password Reuse settings.
Phishing Prevention
Phishing Protection defines the action taken upon phishing detection.
Send log on each scanned site - The extension will send log for each scanned sites (Benign + Malicious)
Allow user to dismiss the phishing alert and continue to access the site - The user will be able to bypass the phishing warning and continue to fill the site's form.
Allow user to abort phishing scans - User will be able to stop the ongoing site scan
Password Reuse
Password Reuse Protection defines the action taken upon phishing detection.
Protected domains - Passwords used in these domains will be learned, and will be compared to passwords entered outside of the "protected domains"
Connected server describes the server that preforms Threat Emulation and Threat Extraction, there are 3 options:
SandBlast Agent for Browsers will try to connect to the specified gateway, if there is no connectivity to the gateway it'll try to connect Threat Cloud.
Excluded Domains - Downloads/Phishing scans from these domains will be excluded from SandBlast policy.
You can use Export Configuration in order to export the saved options.
When working with SBA, Chrome extension is enabled by default, while IE can be controlled through GuiDBedit Tool as follows: until version 80.70 (including), the IE is disabled b default, and can be enabled by the following procedure:
Close all SmartConsole windows and open the GuiDBedit Tool.
Go to ep_orgp_te_policy_tbl
In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: ie_extension_disabled=false
Save the changes: go to 'File' menu - click on 'Save All'.
Open SmartEndpoint Console.
Make a small change in a SandBlast Agent Threat Emulation rule, which will cause it to change policy version number and load changes from GuiDBedit Tool.
Install policy in SmartEndpoint.
Update policy on Endpoint
From version 80.71, the IE extension is enabled by default, and can be disabled by following the below procedure:
Close all SmartConsole windows and open the GuiDBedit Tool.
Go to ep_orgp_te_policy_tbl
In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: ie_extension_disabled=true
Continue with the steps 4 - 8 from the above instructions.
Starting from version 80.81, the Firefox extension is supported in EA quality for Firefox browsers version 57 and up. The Firefox extension is disabled by default, and can be enabled by the following procedure:
In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: firefox_extension_disabled=false
Continue with the steps 4 - 8 from the above instructions.
Note: Multiple value can be configured with semicolon (;) symbol as delimiter.
Controlling the SandBlast Agent for Browsers with GPO
When working with Firefox browser, export the policy as .json file (not .reg file), save it with name "manifest.json" and place it using GPO in the C:\Program Files (x86)\CheckPoint\SandBlast\. folder.
The changes will take effect after you restarting the Firefox.
It's recommended to use the SandBlast Agent for Browsers options to set the policy, and export the configuration into registry file in order to deploy it in the organization.
To configure the SandBlast Agent for Browsers using GPO, add the following registry path:
The registry values control the SandBlast Agent for Browsers options. You can choose not to configure the SandBlast Agent for Browsers, in which case it will use the default values
Controlling the SandBlast Agent for Chrome using GPO is possible only if the machine is member of AD domain.
Policy changes in registry will apply within 10 minutes.
Below you can see the different configuration options and their values
General Settings:
Name
Variable
Description
Type and Values
Connected Server
use_te_cloud
Determines the type of server to work with
DWORD
0 - Gateway or SandBlast Appliance (specified in server)
1 - Check Point Threat Cloud
2 - Gateway with fallback to cloud
te_cloud_api_key
Valid cloud API key, either product's CK or cloud evaluation key
STRING
server
Defines the SandBlast Security Gateway which perform Threat Emulation, Threat Extraction and collect logs for Zero Phishing.
This Security Gateway needs to be configured according to sk113599.
STRING
IP address of Security Gateway
api_key
It's recommended to harden the access to the gateway by defining shared secret between the extensions and the Security Gateway. api_key should be the same as the one defined on the Security Gateway under /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini
STRING
SandBlast Protection for Web Downloads
file_protection_enabled
Defines if SandBlast Protection for Web Downloads is active
DWORD
1 - On
0 - Off
Zero Phishing Protection
identity_protection_enabled
Defines if Zero Phishing Protection is active
DWORD
1 - On
0 - Off
Duration for overriding the GPO settings
override_user_settings_minutes
Defines the time (in minutes), during which the user can override the settings defined by the administrator using GPO
DWORD
0 - The user does not have permission to override GPO settings
N - Time (in minutes), during which the user can override the GPO settings
Additional Settings
show_notifications
Determines if notifications should be shown.
DWORD
1 - Enabled (show notifications)
0 - Disabled (do not show notifications)
logs_enabled
Send logs to the Security Gateway regarding SandBlast Protection for Web Downloads and Zero Phishing Protection. The option needs to be enabled on the Security Gateway as well, logs_api_enabled needs to be set to TRUE under /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini
DWORD
1 - Enabled (send logs)
0 - Disabled (do not send logs)
None (Only using GPO)
userid
Using GPO it is possible to push the username (if not set) - a randomly generated ID is sent (the field is shown in the Security Gateway logs)
STRING
options_disabled
Blocks the user from editing the extension's options.
DWORD
1 - Active (blocks editing)
0 - Inactive (allows editing)
manual_scan_disabled
Determines if the user can see "Scan File" in the options page
DWORD
1 - Disabled (User will not see "Scan File")
0 - Enabled (User will see "Scan File")
SandBlast Protection for Web Downloads settings:
Name
Variable
Description
Type and Values
SandBlast Protection for Web Downloads
file_protection_enabled
Defines if SandBlast Protection for Web Downloads is active
DWORD
1 - On
0 - Off
Excluded Domains
excluded_domains
SandBlast Protection for Web Downloads activities will not be performed on these trusted domains.
Array of strings (see the example under this table).
Action per file type
It is possible to create a different action (Emulate and Extract, Extract, Emulate, Allow, Block) and policy (Global profile, Extract potentially malicious elements, Convert to PDF, In the background, Hold till scan completes) for each file type.
It is recommended to use the extension's options to set the policy, and then use Export Configuration when using this option.
With SmartEndpoint, use the bellow recommended configuration for the files handling:
When working with SBA4B standalone, use the below recommended configuration:
Known Limitations
ID
Description
-
MSI Installation will fail if Internet Explorer (IE) 11 is not installed on the target machine
-
Excluded Domains configuration will not work for blob downloads in Internet Explorer (IE)
-
Internet Explorer (IE) compatibility mode is not supported
-
High security level for Internet zone in IE is not supported
-
Inspection in Incognito mode in Chrome / Edge can only be enabled by the user
-
Inspection of file URLs in Chrome can only be enabled by the user
-
Firefox add-on installation must be approved by the user
-
Firefox add-on can be disabled by the user
-
Downloads from one-time links are not inspected
-
Downloaded files in Firefox are saved in a temp folder instead of the downloads folder
-
Enhanced Protected Mode is not supported on Internet Explorer (IE)
-
Up to version 990.16.438 (SBA E80.71): Documents, supposed to be displayed in a Web Application, are downloaded instead of being opened in the browser From version 990.45.001 (SBA E80.72): For non-excluded domains, documents supposed to be displayed in a Web Application, are downloaded instead of being opened in the browser
-
Changes to the SBA4B policy which are done through smart end point will take effect up to 10 minutes after the policy is update on the end point.
-
Up to version 990.47.004 (SBA E80.80): The SandBlast Agent extension support Firefox browser version up to 55 (no support for version 56 and up). Firefox ESR versions supported up to version 52.3 It is recommended to disable Firefox automatic updates for customers who use the extension on Firefox. From version 990.49.008 (SBA E80.81): The SandBlast Agent extension supports Firefox version 57 and up only, (Firefox browser version 56.0 is not supported).
AHTP-5651
For Firefox Quantum browser extension: Opening a file by clicking on the notification of a finished download, will only work for file types having built-in preview in the browser, or those file types explicitly selected to be opened after download in the browser 'Applications' settings.
AHTP-5854
Firefox Quantum browser must be restarted to apply browser extension deployment, browser extension version upgrade, and policy deployment firefox quantum browser must be restarted twice to apply browser extension removal.
AHTP-5845
In the Firefox Quantum browser, downloads that are initiated by a user and are intercepted by the SandBlast Agent for Browsers Extension are listed as "Failed" in the downloads history.
AHTP-6031
Domains added to the excluded Domains list are excluded from TE/TEX inspection and Zero-Phishing scanning.
-
Zero Phishing scanning will work only on English sites, or non-English sites with and English field names in their HTML.
AHTP-11317
After closing all Internet Explorer windows, an Internet Explorer processes hosting the extension background page remain open.
AHTP-13205
For Chrome and Internet Explorer browsers, Zero-Phishing cannot scan html files which are opened locally.