Support Center > Search Results > SecureKnowledge Details
SandBlast Agent Best Practice Configuration Technical Level
Solution

Refer to the following articles before you begin

 

Table of Contents:

  • Anti-Ransomware, Behavioral Guard and Forensics settings
  • Anti-Bot settings
  • SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings
  • Anti-Malware settings
  • Exclusions

 

Step By Step Configuration

SandBlast Agent Best Practice configuration

The following section explains how to set the Best Practice configuration

  • Note that this is just the initial recommended configuration, and from this point any organization should tailor the solution to their needs in order to maximize the utilization

Anti-Ransomware, Behavioral Guard and Forensics settings

Policy Description Policy profile configuration

Best Practice

Action Profile = Triggers and automatic response

Forensics Analysis = Always

File Quarantine = High And Medium

Machine Quarantine = Never

Attack Remediation = High And Medium

 

Best Practice

Action Profile = Monitoring and Exclusions

Exclusions are set for the non_CP_AV certificate

Maximum Forensics Database Size on Disk = 1GByte

Note: It is recommended to monitor the forensics performance impact and to exclude trusted certificates and processes to reduce the load

*Do not exclude the OS vendor certificate

Best Practice

Action Profile = Attack Remediation

Malicious files = Quarantine

Suspicious files = Quarantine

Unknown files = Quarantine

Trusted files = Terminate

Best Practice

Action Profile = File Quarantine

No default exclusions

Keep files in Quarantine for = 90 Days

Quarantine folder name = %ProgramData%\CheckPoint\Endpoint Security\Remediation\Quarantine\

Copy quarantine files to a central location = Disabled

Allow Users to delete items from quarantine = Enabled

Allow users to restore items from quarantine = Disabled

Best Practice

Action Profile = Anti Ransomware and Behavioral Guard

Anti-Ransomware and Behavioral Guard = Enabled

Exclusions are set for:

  • C:\Windows\explorer.exe
  • Check Point Software Technologies Ltd. Certificate
  • Non_CP_AV certificate

Backup settings:

Anti-Ransomware Automatic Restore and Remediate = Enabled

Restore to selected location = Disabled

Anti-Ransomware Maximum Backup size on disk = 1025 Mbytes

Backup time interval = 60 minutes

Note: 
For Development areas it is recommended to exclude a specific folder that is used for development process once enabling Anti-Ransomware and Behavioral Guard

It is recommended to set Behavioral Guard to prevent medium and High events and detect low

Detailed information is at sk130012 - SandBlast Agent Behavioral Guard Advanced Configuration

 

Anti-Bot Settings

Policy Description Policy profile configuration

Best Practice

Action Profile = Blade Activation

High Confidence = Prevent

Medium Confidence = Prevent

Low Confidence = Detect

Best Practice

Action Profile = Detection Exclusions

Allow detection exclusions for following trusted entities = Enabled

Exclusions are set for:

  • Protected domains
  • Protected URLs

Best Practice

Action Profile = General Settings

Connection handling mode = Hold

Hours to suppress logs for same bot protection = 1

Days to remove bot reporting after = 3

Note: Move to Hold mode gradually has it might have an impact on browsing time. 

It is recommeded to exclude protected domains and urls before moving to Hold mode

 

SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings

Policy Description Policy profile configuration

Best Practice

Action Profile = Web Download Protection

Stage 1:

Files that can be extracted and emulated = Emulate and Suspend original file until emulation completes

Files that can only be emulated = Emulate and Suspend original file until emulation completes

When neither extraction nor emulation is supported (Other Files) = Allow Download

 

Note: It is recommended to move to Best Practice with Threat Extraction in 2 stages Threat Extraction affects the user experience and needs to be communicated and educated before it is enabled

 

Stage 2:

Files that can be extracted and emulated = Extract and Suspend original file until emulation completes

Files that can only be emulated = Emulate and Suspend original file until emulation completes

When neither extraction nor emulation is supported (Other Files) = Allow Download

Stage 1

Stage 2


Best Practice

Action Profile = Files System Monitor

Enabled monitoring = Enabled

Default action for files written to file system = Emulate

Best Practice

Action Profile = Environment Settings

Appliance Type = SandBlast Cloud

Emulation Environments = Use Check Point Recommended emulation environments

Upload to emulation files less than = 15 MBytes

Best Practice

Action Profile = Inspected Domains and files

Exclusions are set for:

Protected Domains

 

Best Practice

Action Profile = Zero Phishing settings

Phishing protection = Prevent Access and Log

Send log on each scanned site = Enabled

Allow user to dismiss the phishing alert and continue to access the site = Disabled

Allow user to abort phishing scans = Disabled

 

Note: For Password reuse to work, please add the protected domains under the password reuse section

Best Practice

Action Profile = Anti-Exploit Settings

Enable Anti-Exploit = Enabled

Terminate exploited application and log = Enabled

Detect exploited application and log = Disabled

Protected Applications = Default existing list

Best Practice

Action Profile = Static File Analysis Settings

Static File Analysis is activated and prevent malicious files

 

Anti-Malware configuration - use default settings

 

Exclusions

It is recommended to create exclusions before the first deployment - through the planning phase. Exclusions can also be created through the first deployment phase on the Test/POC group of assets.

During the learning mode phase notice the following for exclusions:

  1. Internally trusted processes or certified applications that create FPs or load.
  2. Do not exclude the OS (Microsoft/Apple) certificate
  3. Internally trusted and protected domains

How to exclude? 

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment