Support Center > Search Results > SecureKnowledge Details
Check Point SandBlast Agent for Browsers Technical Level
Solution

Table of Contents

  • Abstract
  • System Prerequisites
  • Controlling the SandBlast Agent for Browsers
  • Best Practices Configuration
  • Known Limitations
Click Here to Show the Entire Article

Abstract

Use the SandBlast Agent for Browsers:

  1. To prevent download of malicious files:
    1. Threat Emulation - Detect malicious behavior by running files within secure virtual environment.
    2. Threat Extraction - Obtain immediate and safe access to documents by removing potentially malicious elements or converting the downloaded file to PDF.
    3. User can download the original file once Threat Emulation completes.

  2. Phishing protection, Zero Phishing is an innovative Anti-Phishing product, protecting corporate users and administrators from:
    1. Zero day phishing sites
    2. Password / identity theft

SandBlast Agent for Browsers can perform SandBlast Threat Emulation and SandBlast Threat Extraction on:

  • Check Point Threat Cloud
  • Security Gateway or TE Appliance running R77.30 with Jumbo Hotfix. Instructions are available at sk113599.

System Prerequisites

The following must be installed on the target machines before the deployment of the SandBlast Agent for Browsers MSI:

  1. Microsoft Visual C++ 2010 Redistribution x86
  2. .NET Framework 4.x
  3. Internet Explorer 11

 

Controlling the SandBlast Agent for Browsers

Show / Hide this Section

When working with SBA, Chrome extension is enabled by default, while IE can be controlled through GuiDBedit Tool as follows:
until version 80.70 (including), the IE is disabled b default, and can be enabled by the following procedure:

  1. Close all SmartConsole windows and open the GuiDBedit Tool.

  2. Go to ep_orgp_te_policy_tbl

  3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: ie_extension_disabled=false

  4. Save the changes: go to 'File' menu - click on 'Save All'.

  5. Open SmartEndpoint Console.

  6. Make a small change in a SandBlast Agent Threat Emulation rule, which will cause it to change policy version number and load changes from GuiDBedit Tool.

  7. Install policy in SmartEndpoint.

  8. Update policy on Endpoint

From version 80.71, the IE extension is enabled by default, and can be disabled by following the below procedure:

  1. Close all SmartConsole windows and open the GuiDBedit Tool.

  2. Go to ep_orgp_te_policy_tbl

  3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value: ie_extension_disabled=true

  4. Continue with the steps 4 - 8 from the above instructions.

 

Starting from version 80.81, the Firefox extension is supported in EA quality for Firefox browsers version 57 and up.
The Firefox extension is disabled by default, and can be enabled by the following procedure:
  1. Close all SmartConsole windows and open GuiDBedit Tool.

  2. Go to ep_orgp_te_policy_tbl

  3. In each line with the class name ep_orgp_te_web_downloads_protection_action, find the field browser_extensions_additional_data and add the value:
    firefox_extension_disabled=false

  4. Continue with the steps 4 - 8 from the above instructions. 

Note: Multiple value can be configured with semicolon (;) symbol as delimiter.

 

Best Practices Configuration

Show / Hide this Section
With SmartEndpoint, use the bellow recommended configiration for the files handling:


When working with SBA4B standalone, use the below recommanded configuration:

 

Known Limitations

ID Description
- MSI Installation will fail if Internet Explorer (IE) 11 is not installed on the target machine
- Excluded Domains configuration will not work for blob downloads in Internet Explorer (IE)
- Internet Explorer (IE) compatibility mode is not supported
- High security level for Internet zone in IE is not supported
- Inspection in Incognito mode in Chrome can only be enabled by the user
- Inspection of file URLs in Chrome can only be enabled by the user
- Firefox add-on installation must be approved by the user 
- Firefox add-on can be disabled by the user
- Downloads from one-time links are not inspected 
- Downloaded files in Firefox are saved in a temp folder instead of the downloads folder
- Enhanced Protected Mode is not supported on Internet Explorer (IE)
- Up to version 990.16.438 (SBA E80.71): Documents, supposed to be displayed in a Web Application, are downloaded instead of being opened in the browser
From version 990.45.001 (SBA E80.72): For non-excluded domains, documents supposed to be displayed in a Web Application, are downloaded instead of being opened in the browser
- Changes to the SBA4B policy which are done through smart end point will take effect up to 10 minutes after the policy is update on the end point. 
- Up to version 990.47.004 (SBA E80.80): The SandBlast Agent extension support Firefox browser version up to 55 (no support for version 56 and up).
Firefox ESR versions supported up to version 52.3
It is recommended to disable Firefox automatic updates for customers who use the extension on Firefox.
From version 990.49.008 (SBA E80.81): The SandBlast Agent extension supports Firefox version 57 and up only, (Firefox browser version 56.0 is not supported).
AHTP-5651 For Firefox Quantum browser extension: Opening a file by clicking on the notification of a finished download, will only work for file types having built-in preview in the browser, or those file types explicitly selected to be opened after download in the browser 'Applications' settings. 
AHTP-5854 Firefox Quantum browser must be restarted to apply browser extension deployment, browser extension version upgrade, and policy deployment firefox quantum browser must be restarted twice to apply browser extension removal. 
AHTP-5845 In the Firefox Quantum browser, downloads that are initiated by a user and are intercepted by the SandBlast Agent for Browsers Extension are listed as "Failed" in the downloads history.
AHTP-6031 Domains added to the excluded Domains list are excluded from TE/TEX inspection and Zero-Phishing scanning. 
- Zero Phishing scanning will work only on English sites, or non-English sites with and English field names in their HTML.
AHTP-11317 After closing all Internet Explorer windows, an Internet Explorer processes hosting the extension background page remain open.
AHTP-13205 For Chrome and Internet Explorer browsers, Zero-Phishing cannot scan html files which are opened locally. 

 



Related solutions:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment