SandBlast Agent Best Practice Configuration

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk154052
Technical Level
Product	SandBlast Agent
Version	R80.20, R80.30, E80.90, E80.92, E80.94, E80.96, E81, E80.97, E81.10, E81.20, E81.30, R80.40, E82, E83
Date Created	25-May-2019
Last Modified	14-Jun-2020

Solution

Refer to the following articles before you begin

Table of Contents:

Anti-Ransomware, Behavioral Guard and Forensics settings
Anti-Bot settings
SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings
Anti-Malware settings
Exclusions

Step By Step Configuration

SandBlast Agent Best Practice configuration

The following section explains how to set the Best Practice configuration

Note that this is just the initial recommended configuration, and from this point any organization should tailor the solution to their needs in order to maximize the utilization

Anti-Ransomware, Behavioral Guard and Forensics settings

Policy Description	Policy profile configuration
Best Practice Action Profile = Triggers and automatic response Forensics Analysis = Always File Quarantine = High And Medium Machine Quarantine = Never Attack Remediation = High And Medium
Best Practice Action Profile = Monitoring and Exclusions Exclusions are set for the non_CP_AV certificate Maximum Forensics Database Size on Disk = 1GByte Note: It is recommended to monitor the forensics performance impact and to exclude trusted certificates and processes to reduce the load *Do not exclude the OS vendor certificate
Best Practice Action Profile = Attack Remediation Malicious files = Quarantine Suspicious files = Quarantine Unknown files = Quarantine Trusted files = Terminate
Best Practice Action Profile = File Quarantine No default exclusions Keep files in Quarantine for = 90 Days Quarantine folder name = %ProgramData%\CheckPoint\Endpoint Security\Remediation\Quarantine\ Copy quarantine files to a central location = Disabled Allow Users to delete items from quarantine = Enabled Allow users to restore items from quarantine = Disabled
Best Practice Action Profile = Anti Ransomware and Behavioral Guard Anti-Ransomware and Behavioral Guard = Enabled Exclusions are set for: C:\Windows\explorer.exe Check Point Software Technologies Ltd. Certificate Non_CP_AV certificate Backup settings: Anti-Ransomware Automatic Restore and Remediate = Enabled Restore to selected location = Disabled Anti-Ransomware Maximum Backup size on disk = 1025 Mbytes Backup time interval = 60 minutes Note: For Development areas it is recommended to exclude a specific folder that is used for development process once enabling Anti-Ransomware and Behavioral Guard It is recommended to set Behavioral Guard to prevent medium and High events and detect low Detailed information is at sk130012 - SandBlast Agent Behavioral Guard Advanced Configuration

Anti-Bot Settings

Policy Description	Policy profile configuration
Best Practice Action Profile = Blade Activation High Confidence = Prevent Medium Confidence = Prevent Low Confidence = Detect
Best Practice Action Profile = Detection Exclusions Allow detection exclusions for following trusted entities = Enabled Exclusions are set for: Protected domains Protected URLs
Best Practice Action Profile = General Settings Connection handling mode = Hold Hours to suppress logs for same bot protection = 1 Days to remove bot reporting after = 3 Note: Move to Hold mode gradually has it might have an impact on browsing time. It is recommeded to exclude protected domains and urls before moving to Hold mode

SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings

Policy Description	Policy profile configuration
Best Practice Action Profile = Web Download Protection Stage 1: Files that can be extracted and emulated = Emulate and Suspend original file until emulation completes Files that can only be emulated = Emulate and Suspend original file until emulation completes When neither extraction nor emulation is supported (Other Files) = Allow Download Note: It is recommended to move to Best Practice with Threat Extraction in 2 stages Threat Extraction affects the user experience and needs to be communicated and educated before it is enabled Stage 2: Files that can be extracted and emulated = Extract and Suspend original file until emulation completes Files that can only be emulated = Emulate and Suspend original file until emulation completes When neither extraction nor emulation is supported (Other Files) = Allow Download	Stage 1 Stage 2
Best Practice Action Profile = Files System Monitor Enabled monitoring = Enabled Default action for files written to file system = Emulate
Best Practice Action Profile = Environment Settings Appliance Type = SandBlast Cloud Emulation Environments = Use Check Point Recommended emulation environments Upload to emulation files less than = 15 MBytes
Best Practice Action Profile = Inspected Domains and files Exclusions are set for: Protected Domains
Best Practice Action Profile = Zero Phishing settings Phishing protection = Prevent Access and Log Send log on each scanned site = Enabled Allow user to dismiss the phishing alert and continue to access the site = Disabled Allow user to abort phishing scans = Disabled Note: For Password reuse to work, please add the protected domains under the password reuse section
Best Practice Action Profile = Anti-Exploit Settings Enable Anti-Exploit = Enabled Terminate exploited application and log = Enabled Detect exploited application and log = Disabled Protected Applications = Default existing list
Best Practice Action Profile = Static File Analysis Settings Static File Analysis is activated and prevent malicious files

Anti-Malware configuration - use default settings

Exclusions

It is recommended to create exclusions before the first deployment - through the planning phase. Exclusions can also be created through the first deployment phase on the Test/POC group of assets.

During the learning mode phase notice the following for exclusions:

Internally trusted processes or certified applications that create FPs or load.
Do not exclude the OS (Microsoft/Apple) certificate
Internally trusted and protected domains

How to exclude?

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating