The following section explains how to set the Best Practice configuration
Note that this is just the initial recommended configuration, and from this point any organization should tailor the solution to their needs in order to maximize the utilization
At the moment, you can get more granular control through Smart Endpoint
Step By Step - Web Console - SandBlast Agent Best Practice configuration
Additional categories should be enabled according to organizational and regulatory needs
Add URLs to the Black list for specific use cases
Exclude specific URLs if needed It is less recommended to globally allow users to dismiss the alert and access the website
Best Practice - Download protection
Stage 1 - Set to Prevent
Choose to suspend until emulation completes
Unsupported files - Allow download (Fail Open)
Best Practice - Download protection
Stage 2 - Choose to Get extracted copy before emulation completes
Before enabling make sure to educate users that they receive a clean copy without any active content and if the file is not malicious they are able to receive it from the SandBlast Agent Browser extension
Best Practice - Files protection
Set Anti-Malware Prevent to ON
Set Files Threat Emulation Detect to ON
Anti-Malware periodic scan every month and update signature interval every 4 hours
It is possible to perform periodic scans in shorter interval and to allow users to cancel the scan up to one month
Remember that SandBlast Agent include real time protection during runtime so an Anti-Malware periodic scan can be in longer intervals to support users productivity
Behavioral Protection
Best Practice - Anti-Bot
Set to Prevent
Best Practice - Behavioral Guard & Anti-Ransomware
Set to Prevent
Enable network share protection if needed to recover from file encryption when network shares are used
Best Practice - Anti-Exploit
Stage 1 - Set to Detect Monitor for events that can cause applications interruptions before moving to prevent
Best Practice - Anti-Exploit
Stage 2 - Set to Prevent
Once confidence is achieved that all applications work without interruptions
Changing Anti-Exploit mode requires reboot to reload all monitored applications and complete the mode change
Analysis & Remediation
Best Practice - Automated attack analysis (Forensics)
Set Enable protection to ON Set Enable Threat Hunting to ON
Best Practice - Remediation & Response
Set Attack remediation to ON
It is recommended to Terminate trusted processes for full attack chain remediation
Set File quarantine to ON
For critical locations or Power users it is possible to allow users to restore items from quarantine
Step By Step - Smart Event - SandBlast Agent Best Practice configuration
Table of Contents:
Anti-Ransomware, Behavioral Guard and Forensics settings
Anti-Bot settings
SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings
Anti-Malware settings
Exclusions
Anti-Ransomware, Behavioral Guard and Forensics settings
Policy Description
Policy profile configuration
Best Practice
Action Profile = Triggers and automatic response
Forensics Analysis = Always
File Quarantine = High And Medium
Machine Quarantine = Never
Attack Remediation = High And Medium
Best Practice
Action Profile = Monitoring and Exclusions
Exclusions are set for the non_CP_AV certificate
Maximum Forensics Database Size on Disk = 1GByte
Note: It is recommended to monitor the forensics performance impact and to exclude trusted certificates and processes to reduce the load
*Do not exclude the OS vendor certificate
Best Practice
Action Profile = Attack Remediation
Malicious files = Quarantine
Suspicious files = Quarantine
Unknown files = Quarantine
Trusted files = Terminate
Best Practice
Action Profile = File Quarantine
No default exclusions
Keep files in Quarantine for = 90 Days
Quarantine folder name = %ProgramData%\CheckPoint\Endpoint Security\Remediation\Quarantine\
Copy quarantine files to a central location = Disabled
Allow Users to delete items from quarantine = Enabled
Allow users to restore items from quarantine = Disabled
Best Practice
Action Profile = Anti Ransomware and Behavioral Guard
Anti-Ransomware and Behavioral Guard = Enabled
Exclusions are set for:
C:\Windows\explorer.exe
Check Point Software Technologies Ltd. Certificate
Non_CP_AV certificate
Backup settings:
Anti-Ransomware Automatic Restore and Remediate = Enabled
Restore to selected location = Disabled
Anti-Ransomware Maximum Backup size on disk = 1025 Mbytes
Backup time interval = 60 minutes
Note: For Development areas it is recommended to exclude a specific folder that is used for development process once enabling Anti-Ransomware and Behavioral Guard
It is recommended to set Behavioral Guard to prevent medium and High events and detect low
Allow detection exclusions for following trusted entities = Enabled
Exclusions are set for:
Protected domains
Protected URLs
Best Practice
Action Profile = General Settings
Connection handling mode = Hold
Hours to suppress logs for same bot protection = 1
Days to remove bot reporting after = 3
Note: Move to Hold mode gradually has it might have an impact on browsing time.
It is recommeded to exclude protected domains and urls before moving to Hold mode
SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings
Policy Description
Policy profile configuration
Best Practice
Action Profile = Web Download Protection
Stage 1:
Files that can be extracted and emulated = Emulate and Suspend original file until emulation completes
Files that can only be emulated = Emulate and Suspend original file until emulation completes
When neither extraction nor emulation is supported (Other Files) = Allow Download
Note: It is recommended to move to Best Practice with Threat Extraction in 2 stages Threat Extraction affects the user experience and needs to be communicated and educated before it is enabled
Stage 2:
Files that can be extracted and emulated = Extract and Suspend original file until emulation completes
Files that can only be emulated = Emulate and Suspend original file until emulation completes
When neither extraction nor emulation is supported (Other Files) = Allow Download
Default action for files written to file system = Emulate
Best Practice
Action Profile = Environment Settings
Appliance Type = SandBlast Cloud
Emulation Environments = Use Check Point Recommended emulation environments
Upload to emulation files less than = 15 MBytes
Best Practice
Action Profile = Inspected Domains and files
Exclusions are set for:
Protected Domains
Best Practice
Action Profile = Zero Phishing settings
Phishing protection = Prevent Access and Log
Send log on each scanned site = Enabled
Allow user to dismiss the phishing alert and continue to access the site = Disabled
Allow user to abort phishing scans = Disabled
Note: For Password reuse to work, please add the protected domains under the password reuse section
Best Practice
Action Profile = Anti-Exploit Settings
Enable Anti-Exploit = Enabled
Terminate exploited application and log = Enabled
Detect exploited application and log = Disabled
Protected Applications = Default existing list
Best Practice
Action Profile = Static File Analysis Settings
Static File Analysis is activated and prevent malicious files
Anti-Malware configuration - use default settings
Exclusions
It is recommended to create exclusions before the first deployment - through the planning phase. Exclusions can also be created through the first deployment phase on the Test/POC group of assets.
During the learning mode phase notice the following for exclusions:
Internally trusted processes or certified applications that create FPs or load.
Do not exclude the OS (Microsoft/Apple) certificate
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?