Check Point Security Gateway uses some 3rd party code in several features. One of the 3rd party vendors is Kaspersky Lab. Customers who wish to remove Kaspersky Lab components from the Security Gateway can use one of several options.
Table of Contents:
Action plan for R80.10 (Clean Installation)
Action plan for R80.10 with Jumbo Hotfix Accumulator and above (Remove only)
Action plan for R77.30 and above (Disable & Remove)
Action plan for R76SP.X on 60000 / 40000 Security Systems
Action plan for 600 / 700 / 1100 / 1200R / 1400 Appliances
How to disable Anti-Virus Deep Scan, Anti-Virus Archive Scanning, and Traditional Anti-Virus
Note: This image contains a suitable replacement for the Kaspersky Lab Anti-Virus components. This replacement might, in some cases, miss files that were otherwise caught by Kaspersky Lab code and in some cases, prevent malicious files that were otherwise missed.
For customers who wish to use Anti-Virus Deep Scan / Anti-Virus Archive Scanning / Traditional Anti-Virus and for Security Gateway / VSX Gateway with enabled Threat Emulation blade:
Make sure to install the latest Threat Emulation engine. Or follow sk92509 to install the Basic Package (released on 26 Sep 2017 (version 6.9 or later).
For customers who use Endpoint Anti-Malware:
With Check Point R80.10 new image (Take 462), Endpoint Security Clients acquire their Anti-Malware signature updates directly from an external Check Point signature server or other external Anti-Malware signature resources, as allowed by your organization's Endpoint Anti-Malware policy.
If your organization wants to continue using the Kaspersky Lab signature updates from the Endpoint Management Server, contact Check Point Support for a Hotfix.
(2) For R80.10 with Jumbo Hotfix Accumulator and above (Remove only)
Follow these steps:
If Anti-Virus Deep Scan, Anti-Virus Archive Scanning, or Traditional Anti-Virus are enabled on your Security Gateway, then disable those features according to the summary table in section 6.
Remove the 3rd party components by installing a relevant CPUSE package.
Important Note: This procedure does not require a reboot or restart of Check Point services.
Notes:
This CPUSE package should be installed on all Gaia OS machines in your environment - Security Gateway / VSX Gateway / StandAlone / Management Server / Endpoint Security Management Server.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on the Status and Actions.
On the toolbar, click on the Showing Recommended packages (near the help icon ) and select All: Example:
In the Hotfixes section, click on the Check Point <VERSION> Hotfix for sk118539 (Kaspersky Anti-Virus Removal) - click on the Install Update button on the toolbar. Example:
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on the Status and Actions.
In the upper right corner, click on the Import Package button.
In the Import Package window, click on the Browse... - select the downloaded CPUSE package - click on the Import. Example:
On the toolbar, click on the Showing Recommended packages (near the help icon ) and select All: Example:
In the Minor Versions (HFAs) section, click on the Check Point <VERSION> Hotfix for sk118539 (Kaspersky Anti-Virus Removal) - click on the Install Update button on the toolbar. Example:
Any Gaia machine including R77.30 VSX
Gaia Clish
Online installation
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: lock database override
Download and Install the CPUSE package from Check Point Cloud:
On R77.30: installer download-and-install Check_Point_R77_30_KAV_Removal_Hotfix_sk118539_FULL.tgz
On R80.10: installer download-and-install Check_Point_R80_10_KAV_Removal_Hotfix_sk118539_FULL.tgz
Acquire the lock over Gaia configuration database: lock database override
Import the CPUSE package from the hard disk: Note: When import completes, this package might be deleted from the original location. installer import local <Full_Path>/<Package_File_Name>.TGZ
Install the imported package: installer install[press Space][press Tab] installer install <Package_Number> Note: In the top section "Hotfixes", refer to "<Package_File_Name>"
Prevention will now be based on a suitable replacement for the removed Kaspersky Lab components.
Notes:
For customers who wish to use Anti-Virus Deep Scan / Anti-Virus Archive Scanning / Traditional Anti-Virus and for Security Gateway / VSX Gateway with enabled Threat Emulation blade:
Make sure to install the latest Threat Emulation engine. Or follow sk92509 to install the Basic Package (released on 26 Sep 2017 (version 6.9) or later).
(3) For R77.30 and above (Disable & Remove)
Follow these steps:
If Anti-Virus Deep Scan, Anti-Virus Archive Scanning, or Traditional Anti-Virus are enabled on your Security Gateway, then disable those features according to the summary table in section 6.
Remove the 3rd party components by installing a relevant CPUSE package.
Important Note: This procedure does not require a reboot or restart of Check Point services.
Notes:
This CPUSE package should be installed on all Gaia OS machines in your environment - Security Gateway / VSX Gateway / StandAlone / Management Server / Endpoint Security Management Server.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on the Status and Actions.
On the toolbar, click on the Showing Recommended packages (near the help icon ) and select All: Example:
In the Hotfixes section, click on the Check Point <VERSION> Hotfix for sk118539 (Kaspersky Anti-Virus Removal) - click on the Install Update button on the toolbar. Example:
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on the Status and Actions.
In the upper right corner, click on the Import Package button.
In the Import Package window, click on the Browse... - select the downloaded CPUSE package - click on the Import. Example:
On the toolbar, click on the Showing Recommended packages (near the help icon ) and select All: Example:
In the Minor Versions (HFAs) section, click on the Check Point <VERSION> Hotfix for sk118539 (Kaspersky Anti-Virus Removal) - click on the Install Update button on the toolbar. Example:
Any Gaia machine including R77.30 VSX
Gaia Clish
Online installation
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: lock database override
Download and Install the CPUSE package from Check Point Cloud:
On R77.30: installer download-and-install Check_Point_R77_30_KAV_Removal_Hotfix_sk118539_FULL.tgz
On R80.10: installer download-and-install Check_Point_R80_10_KAV_Removal_Hotfix_sk118539_FULL.tgz
Acquire the lock over Gaia configuration database: lock database override
Import the CPUSE package from the hard disk: Note: When import completes, this package might be deleted from the original location. installer import local <Full_Path>/<Package_File_Name>.TGZ
Install the imported package: installer install[press Space][press Tab] installer install <Package_Number> Note: In the top section "Hotfixes", refer to "<Package_File_Name>"
Notes:
For Security Gateway / VSX Gateway with enabled Threat Emulation blade:
Make sure to install the latest Threat Emulation engine. Or follow sk92509 to install the Basic Package (released on 11 Sep 2017 or later).
(4) For R76SP.X on 60000 / 40000 Security Systems
If Anti-Virus Deep Scan, Anti-Virus Archive Scanning, or Traditional Anti-Virus are enabled on your 60000 / 40000 Security System, then disable those features according to the summary table in section 6.
Remove the 3rd party components on your 60000 / 40000 Security System from all SGMs using the following procedure in the Expert mode:
The Deep Inspection Scanning feature utilizes components from Kaspersky Labs.
Instructions for SmartConsole R80 (and above)
Instructions for SmartDashboard R77.30
Note: Deep Scan feature is disabled by default (Anti-Virus will search for fewer virus signatures inside files).
Follow these steps in SmartConsole R80 (and above):
In SmartConsole Navigation Toolbar, click on the SECURITY POLICIES.
In the upper left section, click on the Threat Prevention headline.
In the bottom left section, click on the Profiles.
Edit the profile that is assigned to the relevant Security Gateway / Cluster.
Example:
In the left tree, click on the Anti-Virus Settings.
In the File Types section, select one of the desired options:
Select the "Process file types known to contain malware" option.
Example:
Select the "Process all file types" option and clear the box "Enable deep inspection scanning (impacts performance)".
Example:
Select the "Process specific file type families" option.
Click on the "Configure..." button.
Example:
In the "Action" column, make sure that "Deep Scan" is not set for any of the file types.
Example:
Click on OK.
Install the Threat Prevention policy on this Security Gateway / Cluster.
Note: Deep Scan feature is disabled by default (Anti-Virus will search for fewer virus signatures inside files).
Follow these steps in SmartDashboard R77.30:
In SmartDashboard, go to the Threat Prevention tab.
In the left tree, click on the Profiles.
Edit the profile that is assigned to the relevant Security Gateway / Cluster.
In the left tree, click on the Anti-Virus Settings.
In the File Types section, select one of the desired options:
Select the "Process file types known to contain malware" option.
Example:
Select the "Process all file types" option and clear the box "Enable deep inspection scanning (impacts performance)".
Example:
Select the "Process specific file type families" option - click on the "Configure..." button - in the "Action" column, make sure that "Deep Scan" is not set for any of the file types.
Example:
Click on OK.
Install the Threat Prevention policy on this Security Gateway / Cluster.
Anti-Virus - Archive Scanning
The Archive Scanning feature utilizes components from Kaspersky Labs.
Instructions for SmartConsole R80 (and above)
Instructions for SmartDashboard R77.30
Note: The Archive Scanning feature is disabled by default.
Follow these steps in SmartConsole R80 (and above):
In SmartConsole Navigation Toolbar, click on the SECURITY POLICIES.
In the upper left section, click on the Threat Prevention headline.
In the bottom left section, click on the Profiles.
Edit the profile that is assigned to the relevant Security Gateway / Cluster.
Example:
In the left tree, click on the Anti-Virus Settings.
In the Archives section, clear the box "Enable Archive Scanning (impact performance)".
Example:
Click on OK.
Install the Threat Prevention policy on this Security Gateway / Cluster.
Note: The Archive Scanning feature is disabled by default.
Follow these steps in SmartDashboard R77.30:
In SmartDashboard, go to the Threat Prevention tab.
In the left tree, click on the Profiles.
Edit the profile that is assigned to the relevant Security Gateway / Cluster.
In the left tree, click on the Anti-Virus Settings.
In the Archives section, clear the box "Enable Archive Scanning (impact performance)".
Example:
Click on OK.
Install the Threat Prevention policy on this Security Gateway / Cluster.
Traditional Anti-Virus
The Traditional Anti-Virus feature utilizes components from Kaspersky Labs.
Instructions for SmartConsole R80 (and above)
Instructions for SmartDashboard R77.30
Follow these steps in SmartConsole R80 (and above):
Either disable the Proactive Mode.
In SmartConsole Navigation Toolbar, click on the MANAGE & SETTINGS.
In the upper left section, click on the Blades.
In the middle section, scroll to the bottom.
In the Anti-Spam & Mail section, click on the Configure in SmartDashboard... link.
Example:
In the Legacy SmartDashboard, go to the Anti-Spam & Mail tab.
In the left tree, expand on the Traditional Anti-Virus.
Expand the Security Gateway.
Expand the Mail Protocols.
Disable the Proactive Mode for SMTP:
Click on the SMTP page - clear the box "Activate Proactive Detection (impacts performance)"
Example:
Disable the Scan POP3 traffic with Anti-Virus... for POP3:
Click on the POP3 page - clear the box "Scan POP3 traffic with Anti-Virus engine..."
Example:
Disable the Traditional Anti-Virus for FTP:
Click on the FTP page - move the slider to the leftmost position (it should show Off)
Example:
Disable the Proactive Mode for HTTP:
Click on the HTTP page - clear the box "Activate Proactive Detection (impacts performance)"
Example:
Go to the File menu - click on the Update.
Close the Legacy SmartDashboard.
In SmartConsole, install the Threat Prevention policy on this Security Gateway / Cluster.
Or use the Anti-Virus blade instead of the Traditional Anti-Virus.
Note: The Anti-Virus blade has different supported features than the Traditional Anti-Virus (refer to the Threat Prevention Administration Guide (R80, R80.10 / R80.10)).
Follow these steps in SmartDashboard R77.30:
Either disable the Proactive Mode.
In SmartDashboard, go to the Threat Prevention tab.
In the left tree, expand on the Traditional Anti-Virus.
Expand the Security Gateway.
Expand the Mail Protocols.
Disable the Proactive Mode for SMTP:
Click on the SMTP page - clear the box "Activate Proactive Detection (impacts performance)"
Example:
Disable the Scan POP3 traffic with Anti-Virus... for POP3:
Click on the POP3 page - clear the box "Scan POP3 traffic with Anti-Virus engine..."
Example:
Disable the Traditional Anti-Virus for FTP:
Click on the FTP page - move the slider to the leftmost position (it should show Off)
Example:
Disable the Proactive Mode for HTTP:
Click on the HTTP page - clear the box "Activate Proactive Detection (impacts performance)"
Example:
Install the Threat Prevention policy on this Security Gateway / Cluster.
Or use the Anti-Virus blade instead of the Traditional Anti-Virus.
CPUSE packages were replaced with fix for Endpoint Management server files deletion.
18 Jan 2018
Added section "For R80.10 with Jumbo Hotfix Accumulator and above (Remove only)"
Updated the "For R80.10 (Clean Installation)" section
21 Oct 2017
Added a link to Check Point statement and FAQ (www.checkpoint.com/kaspersky)
10 Oct 2017
"For versions R77.30 and above (Disable & Remove)" section - added CPUSE package that automatically runs the special shell script to remove the Kaspersky Labs components.
"For versions R77.30 and above (Disable & Remove)" section - added a note that running the special shell script to remove the Kaspersky Labs components does not require a reboot or restart of Check Point services.
02 Oct 2017
"For version R80.10 (Clean Installation)" section - "Limitations for this customized installation" subsection:
changed from "Traditional Anti-Virus is not supported yet" to "Traditional Anti-Virus compatible ISO image can be requested from Check Point Support
changed from "Anti-Virus Deep Scan and Archive Scanning features are not supported yet in VSX mode" to "Anti-Virus Deep Scan and Archive Scanning features on VSX requires additional engine, which can be requested from Check Point Support"
01 Oct 2017
"For versions R77.30 and above (Disable & Remove)" section - replaced the current shell script with improved shell script that can be executed on a Security Management Server with enabled Endpoint Management.
17 Sep 2017
"R77.30 and above (Disable & Remove)" section - added a shell script for removing Kaspersky Labs code on Endpoint Security Management Server
Added "Related Solutions" section
16 Sep 2017
Added "Table of Contents"
"For version R80.10 (Clean Installation)" section - added a note that this ISO image is intended to be installed as Security Gateway (not Standalone or Security Management Server)
"R77.30 and above (Disable & Remove)" section - added a shell script for removing Kaspersky Labs code on Security Gateways and VSX Gateways
"R77.30 and above (Disable & Remove)" section - improved manual instructions for removing Kaspersky Labs code on Security Gateways and VSX Gateways
"R77.30 and above (Disable & Remove)" section - added instructions for removing Kaspersky Labs code on Security Management Server if Endpoint Management is enabled
Added section for "R76SP.X on 60000 / 40000 Security Systems"
"For version R80.10 (Clean Installation)" section - added a note that if Threat Emulation blade is enabled, then it is necessary to follow the removal instructions of KAV from Threat Emulation blade as provided in the summary table
"R77.30 and above (Disable & Remove)" section - added a note that an Offline Update for the Threat Emulation engine is also required
"R77.30 and above (Disable & Remove)" section - added a note that if Threat Emulation blade is enabled, then it is necessary to follow the removal instructions of KAV from Threat Emulation blade as provided in the summary table
12 Sep 2017
First public release of this article
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
) and select All:
