Support Center > Search Results > SecureKnowledge Details
SandBlast Agent Learning Mode Configuration Technical Level
Solution

Refer to the following articles before you begin


Step By Step - Web Console - SandBlast Agent Learning mode configuration

Table of contents:

  • Web & Files Protection
  • Behavioral Protection
  • Analysis & Remediation
Policy Description Policy configuration 
Web & Files Protection
Learning mode - URL Filtering 

Set to Detect 
enable all categories on to learn about users' behavior without interrupting their work


Learning mode - Download protection

Set to Detect

During Detect mode it is good to review possible false positive detections and start excluding them
Learning mode - Credential protection

Set to Prevent
Allow users to dismiss the phishing alert and access the website

It is recommended to add organizational protected domains to alert about users exposing corporate credentials 
Learning mode - Files protection

Anti-Malware Set to On
Anti-Malware doesn't have detect mode and it is not recommended to disable it

The best option is to exclude sensitive and critical locations as first if needed

Files Threat Emulation set to On

Periodic scan every month with 4 hours interval for signatures update

Allow users to cancel scan unless it has been more than 30 days since the last scan was performed



Behavioral Protection
Learning mode - Anti-Bot

Set to Detect
Learning mode - Behavioral Guard & Anti-Ransomware

Impactless focus Set to Detect

Learning mode - Behavioral Guard & Anti-Ransomware

Security focus set to Prevent

It is recommended for stopping Ransomware attacks and restoring encrypted data 

Learning mode - Anti-Exploit

Set to Off

It is possible to move to Detect to get a better view of possible exploit attack and monitor them. Since it works in the exploit level it may interfere with users applications and work.
Analysis & Remediation
Learning mode - Automated attack analysis (forensics)

Enable protection set to ON
Enable Threat Hunting set to ON
Learning mode - Remediation & Response

Attack remediation set to OFF

File quarantine set to OFF


Step By Step - Smart Endpoint - SandBlast Agent Learning mode configuration

Table of Contents:

  • Anti-Ransomware, Behavioral Guard and Forensics settings
  • Anti-Bot settings
  • SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings
  • Anti-Malware settings
  • Exclusions


The following section explains how to set the Learning mode configuration

  • Some Action profiles have 2 modes of operation, with a focus on security or a focus on impactless policy configuration

Anti-Ransomware, Behavioral Guard and Forensics settings

Policy Description Policy profile configuration

Learning mode - Security focus

Action Profile = Triggers and automatic response

Forensics Analysis = Always

File Quarantine = High

Machine Quarantine = Never

Attack Remediation = High

 

 

Learning mode - Impactless focus

Action Profile = Triggers and automatic response

Forensics Analysis = Always

File Quarantine = Never

Machine Quarantine = Never

Attack Remediation = Never

 

Learning mode

Action Profile = Monitoring and Exclusions

Exclusions are set for the non_CP_AV certificate

Maximum Forensics Database Size on Disk = 1GByte

 
Learning mode - Security focus

Action Profile = Attack Remediation

Malicious files = Quarantine

Suspicious files = None

Unknown files = None

Trusted files = Ignore

 

Learning mode - Impactless focus

Action Profile = Attack Remediation

Malicious files = None

Suspicious files = None

Unknown files = None

Trusted files = Ignore

 
Learning mode

Action Profile = File Quarantine

No default exclusions

Keep files in Quarantine for = 90 Days

Quarantine folder name = %ProgramData%\CheckPoint\Endpoint Security\Remediation\Quarantine\

Copy quarantine files to a central location = Disabled

Allow Users to delete items from quarantine = Enabled

Allow users to restore items from quarantine = Enabled

 

Learning mode - Security focus

Action Profile = Anti Ransomware and Behavioral Guard

Anti-Ransomware and Behavioral Guard = Enabled

Exclusions are set for:

  • C:\Windows\explorer.exe
  • Check Point Software Technologies Ltd. Certificate
  • Non_CP_AV certificate

Backup settings:

Anti-Ransomware Automatic Restore and Remediate = Enabled

Restore to selected location = Disabled

Anti-Ransomware Maximum Backup size on disk = 1025 Mbytes

Backup time interval = 60 minutes

Note: 
For Development areas it is recommended to exclude a specific folder that is used for developmental processes

 
Learning mode - Impactless focus

Action Profile = Anti Ransomware and Behavioral Guard

Anti-Ransomware and Behavioral Guard = Enabled

Exclusions are set for:

  • C:\Windows\explorer.exe
  • Check Point Software Technologies Ltd. Certificate
  • Non_CP_AV certificate

Backup settings:

Anti-Ransomware Automatic Restore and Remediate = Disabled

Restore to selected location = Disabled

Anti-Ransomware Maximum Backup size on disk = 1025 Mbytes

Backup time interval = 60 minutes

Note: 
For Development areas it is recommended to exclude a specific folder that is used for developmental processes

 

 

Anti-Bot Settings

Policy Description Policy profile configuration

Learning mode - Security focus

Action Profile = Blade Activation

High Confidence = Prevent

Medium Confidence = Detect

Low Confidence = Detect

 
Learning mode - Impactless focus

Action Profile = Blade Activation

High Confidence = Detect

Medium Confidence = Detect

Low Confidence = Inactive

 

Learning mode

Action Profile = Detection Exclusions

Allow detection exclusions for following trusted entities = Enabled

Exclusions are set for:

  • Protected domains
  • Protected URLs
 

Learning mode

Action Profile = General Settings

Connection handling mode = Background

Hours to suppress logs for same bot protection = 1

Days to remove bot reporting after = 3

 

 

SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings

Policy Description Policy profile configuration

Learning mode

Action Profile = Web Download Protection

Files that can be extracted and emulated = Emulate original file without suspending access

Files that can only be emulated = Emulate original file without suspending access

When neither extraction nor emulation is supported (Other Files) = Allow Download

 
Learning mode

Action Profile = Files System Monitor

Enabled monitoring = Enabled

Default action for files written to file system = Emulate

 

Learning mode

Action Profile = Environment Settings

Appliance Type = SandBlast Cloud

Emulation Environments = Use Check Point Recommended emulation environments

Upload to emulation files less than = 15 MBytes

 
Learning mode

Action Profile = Inspected Domains and files

Exclusions are set for:

Protected Domains

 

Learning mode

Action Profile = Zero Phishing settings

Phishing protection = Prevent Access and Log

Send log on each scanned site = Enabled

Allow user to dismiss the phishing alert and continue to access the site = Enabled

Allow user to abort phishing scans = Disabled

 

Note: For Password reuse to work, please add the protected domains under the password reuse section

 
Learning mode – Security focus

Action Profile = Anti-Exploit Settings

Enable Anti-Exploit = Enabled

Detect exploited application and log = Enabled

Do not notify user = Enabled

Protected Applications = Default existing list

 

Learning mode – Impactless focus

Action Profile = Anti-Exploit Settings

Enable Anti-Exploit = Disabled

 

Learning mode

Action Profile = Static File Analysis Settings

Static File Analysis is activated in detect mode and will log file inspection

 

Anti-Malware configuration - use default settings

Anti-Malware doesn't have a learning mode configuration. It is either on or off. This is why it is strongly recommended to keep it active and to exclude file and folder locations according to the test/POC group findings

Exclusions

It is recommended to create exclusions before the first deployment - through the planning phase. Exclusions can also be created through the first deployment phase on the Test/POC group of assets.

During the learning mode phase notice the following for exclusions:

  1. Internally trusted processes or certified applications that create FPs or load.
  2. Do not exclude the OS (Microsoft/Apple) certificate
  3. Internally trusted and protected domains

How to exclude? 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment