Support Center > Search Results > SecureKnowledge Details
SandBlast Agent Best Practice Configuration Technical Level
Solution

Refer to the following articles before you begin

SandBlast Agent Best Practice configuration

The following section explains how to set the Best Practice configuration
  • Note that this is just the initial recommended configuration, and from this point any organization should tailor the solution to their needs in order to maximize the utilization
  • At the moment, you can get more granular control through Smart Endpoint

Step By Step - Web Console - SandBlast Agent Best Practice configuration

Table of contents:

  • Web & Files Protection
  • Behavioral Protection
  • Analysis & Remediation
Policy Description Policy Configuration
Web & Files Protection
Best Practice - URL Filtering

Set to Prevent

Check Security
Check Legal Liability/Regulatory compliance

Additional categories should be enabled according to organizational and regulatory needs

Add URLs to the Black list for specific use cases

Exclude specific URLs if needed
It is less recommended to globally allow users to dismiss the alert and access the website
Best Practice - Download protection

Stage 1 - Set to Prevent

Choose to suspend until emulation completes

Unsupported files - Allow download (Fail Open)
Best Practice - Download protection 

Stage 2 - Choose to Get extracted copy before emulation completes  

Before enabling make sure to educate users that they receive a clean copy without any active content and if the file is not malicious they are able to receive it from the SandBlast Agent Browser extension
Best Practice - Files protection

Set Anti-Malware Prevent to ON 

Set Files Threat Emulation Detect to ON

Anti-Malware periodic scan every month and update signature interval every 4 hours

It is possible to perform periodic scans in shorter interval and to allow users to cancel the scan up to one month

Remember that SandBlast Agent include real time protection during runtime so an Anti-Malware periodic scan can be in longer intervals to support users productivity
Behavioral Protection
Best Practice - Anti-Bot

Set to Prevent


Best Practice - Behavioral Guard & Anti-Ransomware

Set to Prevent

Enable network share protection if needed to recover from file encryption when network shares are used 
Best Practice - Anti-Exploit

Stage 1 - Set to Detect

Monitor for events that can cause applications interruptions before moving to prevent
Best Practice - Anti-Exploit

Stage 2 - Set to Prevent

Once confidence is achieved that all applications work without interruptions

Changing Anti-Exploit mode requires reboot to reload all monitored applications and complete the mode change 
Analysis & Remediation
Best Practice - Automated attack analysis (Forensics)

Set Enable protection to ON
Set Enable Threat Hunting to ON
Best Practice - Remediation & Response

Set Attack remediation to ON

It is recommended to Terminate trusted processes for full attack chain remediation

Set File quarantine to ON

For critical locations or Power users it is possible to allow users to restore items from quarantine  

Step By Step - Smart Event - SandBlast Agent Best Practice configuration


Table of Contents:
  • Anti-Ransomware, Behavioral Guard and Forensics settings
  • Anti-Bot settings
  • SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings
  • Anti-Malware settings
  • Exclusions

Anti-Ransomware, Behavioral Guard and Forensics settings

Policy Description Policy profile configuration

Best Practice

Action Profile = Triggers and automatic response

Forensics Analysis = Always

File Quarantine = High And Medium

Machine Quarantine = Never

Attack Remediation = High And Medium

 

Best Practice

Action Profile = Monitoring and Exclusions

Exclusions are set for the non_CP_AV certificate

Maximum Forensics Database Size on Disk = 1GByte

Note: It is recommended to monitor the forensics performance impact and to exclude trusted certificates and processes to reduce the load

*Do not exclude the OS vendor certificate

Best Practice

Action Profile = Attack Remediation

Malicious files = Quarantine

Suspicious files = Quarantine

Unknown files = Quarantine

Trusted files = Terminate

Best Practice

Action Profile = File Quarantine

No default exclusions

Keep files in Quarantine for = 90 Days

Quarantine folder name = %ProgramData%\CheckPoint\Endpoint Security\Remediation\Quarantine\

Copy quarantine files to a central location = Disabled

Allow Users to delete items from quarantine = Enabled

Allow users to restore items from quarantine = Disabled

Best Practice

Action Profile = Anti Ransomware and Behavioral Guard

Anti-Ransomware and Behavioral Guard = Enabled

Exclusions are set for:

  • C:\Windows\explorer.exe
  • Check Point Software Technologies Ltd. Certificate
  • Non_CP_AV certificate

Backup settings:

Anti-Ransomware Automatic Restore and Remediate = Enabled

Restore to selected location = Disabled

Anti-Ransomware Maximum Backup size on disk = 1025 Mbytes

Backup time interval = 60 minutes

Note: 
For Development areas it is recommended to exclude a specific folder that is used for development process once enabling Anti-Ransomware and Behavioral Guard

It is recommended to set Behavioral Guard to prevent medium and High events and detect low

Detailed information is at sk130012 - SandBlast Agent Behavioral Guard Advanced Configuration

 

Anti-Bot Settings

Policy Description Policy profile configuration

Best Practice

Action Profile = Blade Activation

High Confidence = Prevent

Medium Confidence = Prevent

Low Confidence = Detect

Best Practice

Action Profile = Detection Exclusions

Allow detection exclusions for following trusted entities = Enabled

Exclusions are set for:

  • Protected domains
  • Protected URLs

Best Practice

Action Profile = General Settings

Connection handling mode = Hold

Hours to suppress logs for same bot protection = 1

Days to remove bot reporting after = 3

Note: Move to Hold mode gradually has it might have an impact on browsing time. 

It is recommeded to exclude protected domains and urls before moving to Hold mode

 

SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings

Policy Description Policy profile configuration

Best Practice

Action Profile = Web Download Protection

Stage 1:

Files that can be extracted and emulated = Emulate and Suspend original file until emulation completes

Files that can only be emulated = Emulate and Suspend original file until emulation completes

When neither extraction nor emulation is supported (Other Files) = Allow Download

 

Note: It is recommended to move to Best Practice with Threat Extraction in 2 stages Threat Extraction affects the user experience and needs to be communicated and educated before it is enabled

 

Stage 2:

Files that can be extracted and emulated = Extract and Suspend original file until emulation completes

Files that can only be emulated = Emulate and Suspend original file until emulation completes

When neither extraction nor emulation is supported (Other Files) = Allow Download

Stage 1

Stage 2


Best Practice

Action Profile = Files System Monitor

Enabled monitoring = Enabled

Default action for files written to file system = Emulate

Best Practice

Action Profile = Environment Settings

Appliance Type = SandBlast Cloud

Emulation Environments = Use Check Point Recommended emulation environments

Upload to emulation files less than = 15 MBytes

Best Practice

Action Profile = Inspected Domains and files

Exclusions are set for:

Protected Domains

 

Best Practice

Action Profile = Zero Phishing settings

Phishing protection = Prevent Access and Log

Send log on each scanned site = Enabled

Allow user to dismiss the phishing alert and continue to access the site = Disabled

Allow user to abort phishing scans = Disabled

 

Note: For Password reuse to work, please add the protected domains under the password reuse section

Best Practice

Action Profile = Anti-Exploit Settings

Enable Anti-Exploit = Enabled

Terminate exploited application and log = Enabled

Detect exploited application and log = Disabled

Protected Applications = Default existing list

Best Practice

Action Profile = Static File Analysis Settings

Static File Analysis is activated and prevent malicious files

 

Anti-Malware configuration - use default settings

 

Exclusions

It is recommended to create exclusions before the first deployment - through the planning phase. Exclusions can also be created through the first deployment phase on the Test/POC group of assets.

During the learning mode phase notice the following for exclusions:

  1. Internally trusted processes or certified applications that create FPs or load.
  2. Do not exclude the OS (Microsoft/Apple) certificate
  3. Internally trusted and protected domains

How to exclude? 

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment