Support Center > Search Results > SecureKnowledge Details
Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode Technical Level
Solution

The Check Point Online Web Service is used by the Security Gateway for Resource classification. The responses are cached locally to optimize performance, but access to the cloud is required if the response is not cached. Resource classification mode determines if the connection is allowed or suspended while the Security Gateway queries the Check Point Online Web Service. 

  1. When the mode is "hold", connections are blocked until classification is complete.

  2. When the mode is "background", connections are allowed, and after the classification is complete, a "Detect" log is generated. The log includes this description: "Connection was allowed because background classification mode was set". The response is cached and a following connection with the same classification will be detected / prevented according to the rulebase.

  3. Custom -  you can configure different settings depending on the service

To change the Resource classification mode:

In R77.x, go to the Anti-Bot and Anti-Virus Engine Settings in the Anti-Bot and Anti-Virus tab > Advanced pane.


In R80.x, you can change the Resource classification mode in the Threat Prevention Profile:

  1. In SmartConsole, go to Manage & Settings -> Blades.

  2. Go to Threat Prevention, and select Advanced settings.

  3. In the Threat Prevention Engine Settings window that opens, go to the General tab > Check Point Online Web Service > Resource classification mode, and select one of these options:

    • Background - Files are sent to the destination even if the Threat Emulation analysis is not finished.
    • Hold - Connections that must go through emulation are blocked until the Threat Emulation analysis is finished.
    • Custom - Select this option and click Customize to configure Background or Hold modes for Anti-Virus and Anti-Bot. Click OK.



  4. Install the Threat Prevention policy.

When moving from background mode to hold mode, the Security Gateway holds the file and does not send it to the client browser. The Browser will show the file as still being downloaded, but the download will be stuck at some point. The gateway will continue the download only after the scanning is completed or if a timeout at the gateway has occurred. 

If the file is malicious, the Security Gateway will stop sending the file.

Note: If the "Prevent" action is used in the Threat Prevention policy, then a file that Threat Emulation has already identified as malware in the past, is blocked. File is not sent to the destination even in the "Background" mode.

Note: Starting from R75.47 and R76, Anti-Bot Resource Classification mode for DNS is performed in the "background" on the Security Gateway. To learn more, see sk92224 - Resource Categorization for Anti-Bot / Anti-Virus DNS Settings optimization.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment