Engine:58.990001522

• Local Threat Emulation is now supported on R80.40

• Performance Improvement - Verdicts for unknown files will now arrive 10-20% faster

• Stability improvements – emulation timeouts will now be even less likely to happen (80% improvement)

• Various improvements to detection rate and reduction of false positive rate

Engine:58.990001476

• Reduced documents False Positive verdicts (by adding logic querying additional external resources before lowering confidence)
• Added ability to add YARA based exceptions in documents flow overriding verdict for specific cases
• Enhanced handling of malware trying to determine that they run in virtual machines to evade sandboxing
• New images were released for sandbox VMs, introducing performance improvements on sandbox side

Engine:58.990001397

• MITRE in TE report - fixed minor UI issues in the MITRE ATT&CK section in the Threat Emulation Summary Report
  
  
• Emulation platform enhancement - fixed issues that might cause emulations to fail in rare cases
  
  
• Anti-evasion - enhanced handling of malware trying to determine that they run in virtual machines to evade sandboxing

Engine:58.990001311

More information about new revisions: sk135413

•           CVE Reference in Reports – The Threat Emulation Summary Report now includes a reference to the CVE used by the malic .Clicking on the CVE will lead to its official description and details.

•           MITRE ATT&CK information in the log card – since engine update 9.0, the Threat Emulation Findings report contains a MITRE ATT&CK section, detailing the different techniques detected in the malicious file.
  Starting engine update 9.4, this information is also available in the log card.
  This update allows admin to better understand the attack looking at the log card, as well as exporting this data to external SIEM systems and easy search and filtering of attack events based on MITRE fields.

•          Export Threat Detailed Report to logs and external SIEM systems.Threat Emulation Report data details are now exported to logs and external SIEM systems and provide ease of search and filtering based on MITRE related data.

• Enhanced Prevention of Zero-Day Malicious Documents – Rebuilt some of the emulation engines for Microsoft Office and PDF documents, to increase the catch rate and return malicious verdicts much faster.
• More Granular Error Management – Added the ability to configure a specific failure mode (fail-open / fail-close) for cases in which emulation fails due to the file being non-supported. For more information, refer to sk132492.

Engine:58.990001229

More information about new revisions: sk135413

• New Archive File Type Support – The following archive file types are now supported: LZH, ARJ, CPIO, AR.
• Fixed a bug that might cause incorrect values in the Verdict log field for files extracted from archives.
• Fixed a bug causing Threat Emulation not to treat encrypted PDFs according to the policy and always fail their emulation.
• Fixed a bug that might cause archive files of unsupported types to be mistakenly marked as malicious by Threat Emulation.
• Fixed some small UI bugs in the MITRE ATT&CK part of the Threat Emulation report. 

Engine:58.990001191

More info about new revisions: sk135413

New Archive File Type Support – the new engine supports the following archive file types when password-protected: RPM, WIM, CHM, LZH, MSI, ARJ, CPIO, AR, CramFS, QCW2, UDF

Replacing the Threat Emulation API Certificate – administrators can now upload their own certificate to be used for Threat Emulation API calls to their Threat Emulation appliance. For more information, refer to sk160693.

Engine:58.990001056

More info about new revisions: sk135413

MITRE ATT&CK reporting – the Threat Emulation Forensics Report now includes a detailed MITRE ATT&CK Matrix with the detected adversary tactics and techniques for every executable file found to be malicious.

Enhanced Support for Archive Files – this engine release includes significant improvements in handling archive files. Improvements include:

• All supported file types, including .7z and .rar, are now also supported when password-protected. For more details, refer to sk112821. 
• Improved mechanism to automatically "guess" passwords when opening password-protected archives for emulation.
• Added support for password-protected archives, using Unicode characters in the password.
• Many new supported archive formats - WIM,CHM,CramFS,DMG,EXT,FAT,GPT,HFS,IHEX,MBR,MSI,NSIS,NTFS,QCOW2,RPM,SquashFS,UDF,UEFI,VDI,VHD,VMDK (starting from TE engine version 9.1).
• Stability improvements

Engine:58.990001004 

More info about new revisions: sk135413

• Faster delivery of emulation verdict for documents in which files are embedded.
• Various minor bug fixes

Enhanced Anti-Evasion

Several improvements to the emulation’s human impersonation, making it even more resistant to modern evasion techniques.

Faster Emulation of Documents

Emulations of Office and PDF files will now take significantly less time, allowing for enhanced productivity due to faster verdicts for malicious and, most important, benign files.

Engine:58.990000860

revisions: sk135413

Enhanced Support for Password-Protected Documents

• Administrators can now configure a default action for password-protected documents, so that if such files reach emulation, they will be allowed or blocked by default. To configure the default action, follow the instructions in sk132492.

Attachments from Nested MSG Files

Threat Emulation now supports emulating files that are attached to MSG files that are themselves attached to other MSG files.

13-May-19

14/5

More info about new revisions: sk135413

New Features

Enhanced Logging for Emulated Archive Files

Until this update, emulation of archive files generated a single log on and for the archive file itself. With this release:

• The archive file log includes the names of all the files inside it.
• A new log is generated for every file extracted from the archive with its emulation results. This log contains the name of the archive file, so that logs are correlated easily between the archive file and between those of the files it contains.

Detailed Malware Behavior Report

Improvements and Enhancements

Enhanced Anti-Evasion Techniques

Improved detection and prevention of malware files employing evasion techniques. The improvements include:

• Enhanced human interaction simulation
• Enhanced detection of malware initiated after the malicious file is closed.
• Enhanced handling of malware creating a large amount of API calls to overload the emulator.
• Enhanced handling of malware trying to check if the file is run in a virtualized environment
• Fixed an issue causing password-protected archives not to be emulated even though the password for the file is located in the email body. This issue can occur if the archive file was attached to emails with multi-part bodies. The most common example is an email body combining pictures and text.

Important License Enforcement Note

As previously announced, the grace period for the Threat Emulation license enforcement is over. Starting with this emulation engine update, a valid NGTX license must be installed on the Gateway for Threat Emulation and Threat Extraction to work properly. Gateways without the required license receive the following warning log: "Warning: NGTX license is required for the gateway to enable Threat Emulation. To ensure uninterrupted operation, please update the gateway device with a valid license. Please read through sk140212 to make sure you properly set up the system with the required licenses."

31-Mar-19

Deployment

31/3 - 22/4

Engine:58.990000617

More info about new revisions: sk135413

New Feature

Enhanced Classification of Malware Families

A key part of understanding detected malware, its potential damage, and steps for its remediation, is its classification in a malware family.

This release includes a new machine learning engine that improves this classification, making it faster and more accurate.

• The new engine utilizes two novel algorithmic approaches for detecting and identifying unknown malware samples and families. The first layer is the application of an unsupervised clustering technique on the behavioral feature space produced by Threat Emulation for detecting sample similarities in behavioral pattern space.
• The second layer is based on an active learning method, which represents the discovered patterns in a way that allows you to combine information form threat research analysts, inject threat intelligence information into the algorithm, and use it to identify unknown malware families and new variants of known ones. This method allows for the combining of behavioral analysis and threat intelligence into one unified detection operation.

Enhanced Emulation of EXE files

A new Threat Emulation engine dedicated to dynamically determining the required emulation time, improving the handling of malicious executable files that take time to start their malicious activity.

7-Mar-19

Deployment 

7/3 - 25/3

More info about new revisions: sk135413

New Feature:

Enhanced Emulation for non-Supported File Types:

This release introduces a new and easy way to enable Threat Emulation (TE) on file types that are not supported by default. Administrators can now also configure the vector in which TE will run on these file types – Email, Web or both. Refer to sk149292 for more information. 

14-Feb-19

Deployment 

14/2 - 28/2

Engine:58.990000481

More info about new revisions: sk135413

New Features:

• Enhanced prevention for attacks in all vectors with .LNK malicious files. These files can now be emulated both using local Threat Emulation Appliances and using the cloud service to provide maximum protection.

• Enhanced sandboxing (emulation) of Microsoft Office files, utilizing a new Machine Learning engine. The new engine extractsVBA code from the document file, then generate powerful expert-designed features, and feeds them to the Machine Learning model that predicts maliciousness. It is based on a classic ML ensemble method called Random Forest

16-Jan-19

Deployment

16/1-31/1

More info about new revisions: sk135413

New Features:

Enhanced Visibility on "Malware DNA" Analysis.

With this release, security personnel can better understand the analysis performed on the malware and the reasons for the file being flagged as malicious.

The Threat Detail report now includes Malware DNA, a deep dive into different similarities it presents to known malware families. The enhanced analysis includes:

• Behavioral similarities with other malware familiesCode structure, similarities with other malware familiesFile, similarities with other malware familiesPatterns of connection attempts to malicious websites and C&C servers similar to other malware families.
• Malware DNA employs a novel technique to detect malicious code at the lowest level representation - the machine-code level. By extracting the binary representation of malicious code from known malware and representing it in generalized form, Malware DNA is able to detect unique code, code re-use and code permutations of unknown and future threats. Moreover, Malware DNA technology makes it possible to detect threats embedded in otherwise benign software even if the malicious code only runs in very specific and rare situations. By identifying known code inside the executable, Malware DNA is able to segregate and classify parts of an executable and trace the code to its origin.
• Malware DNA employs a range of techniques that render it resistant to code permutations, compiler optimizations and other changes to code that do not change code semantics.
• Unlike other malware detection technologies, Malware DNA is not based on signatures, sandbox or anomaly detection. It's an ultra-fast static engine which is not susceptible to evasion techniques.

24-Dec-18

Deployment

24/12-10/1

Engine:58.990000164

More info about new revisions: sk135413

New Features:

• Expanded Anti-Virus via Threat Prevention API support for local Threat Emulation appliances and Threat Prevention API for Anti-Virus deep scans. The new feature provides the ability to run a full AV Deep-scan using a Threat Emulation appliance. For additional details and instructions. refer to the Threat Prevention API Reference Guide. 

• Policy Restriction Handling Control system behavior. By applying user defined restrictions, the following restriction would be supported:

• Archive extraction error – Define and handle archive relate policies.
• Max number of files - Define max number of files the system archive.

• Dynamic Detection Machine Learning. Adds a machine learning model that uses dynamic emulation output, specifically the API calls performed by the analyzed executable, to detect malware. It uses machine-generated features as well as sophisticated features hand-crafted by domain experts and world-class malware researchers, and leverages and constantly updates state-of-the-art anti-evasion techniques. The machine learning is trained frequently on real production data, making its relevant, customer-facing detection rate superior to previous generations of dynamic detection schemes while maintaining a very low false discovery rate. It is the most important component of our in-house detection capabilities.

• Licensing Enforcement starting with Threat Emulation engine version 7.9. The Gateway device will also now validate the existence of a valid NGTX license when using a SandBlast appliance for emulation. However, there are some exceptions. so refer to sk140212 for details.

Improvements and Enhancements:

• Customized YARA signatures: Enable deployment of dynamic custom behavioral in the Gateway. 

• Improve detection of URL reputation by adding context data to a URL rep request and identifying the file that caused the activity.

18-Nov-18

Deployment

18/11- 12/12 

More info about new revisions:

sk135413

• Introducing new detection engine - IP reputation: Preemptively reject requests that are coming from or sent to IP addresses marked as malicious, by Check Point's constant malware research activities. This engine is protocol agnostic and can detect and prevent any communication protocol.
• Introducing CADET for local emulation - CADET (Context-Aware Detection and Elimination of Threats), Check Point's newest and successfully proven AI-based technology, is now available across all SandBlast deployment options (cloud and on premise). Check Point's CADET technology continuously evolves and adapts to the changing threat landscape using machine learning to offer best in the market detection accuracy.
• Threat emulation reports now include traffic capture logs. A detailed traffic log is now available for download directly from the emulation reports, allowing users visibility of suspicious network traffic generated by examined files.
• New Threat Emulation reports are now available via a consolidated API: a newly aligned and consolidated public API for new Threat Emulation reports for both cloud and premise (appliance) environments.
• Note: backwards compatibility is supported using the "reports_version_number" field. Additional information is available in the Threat Prevention API documentation: Threat Prevention API 1.0 Reference Guide.

15 Oct 2018

Deployment

15/10 - 26/11

Engine:57.990004002

More info about new revisions:

sk135413

• New AI powered detection engines for malware detection in documents: Our Machine just learned how to improve detection accuracy in documents. The technique used includes a combination of our techniques for CPUL and OS level emulation and machine learning algorithms to improve significantly the detection accuracy while reducing false positives. Please note that the new AI Model will initially be deployed in Threat Prevention cloud only. On-premise deployments will be supported in a later release.
• R80.10 (JHF 151) supported by TEX appliances. Support for DLL files in TE (requires Image revision 247). DLL files are emulated in a way similar as in executable files.
• Improved detection using behavioral machine learning to detect threats in executable files. Advanced automated machine learning using millions of samples to improve the accuracy of the executable behavioral machine learning detection. 
• Detection Improvement - CADET – updated machine learning model for executable files.  Incorporates new data sources from our latest engine improvement into the decision making of Cadet. This allows improvement in detection accuracy.
• Introducing a new detection engine that examines files similarity. This allows for better classification of malware family to understand the nature of the attack.
• Update frequency algorithm improved (more frequent updates).
• Improved performance of TE GC (cleanup script).
• Bug fixes: Fixed an issue that caused TE to restart when the cache is full. 

Deployment

7/10-14/10 

• Remove writing to the cloud emulator local cache.
• Changed check for update frequency.
• Released to cloud emulators (not to gateways).

28 Sep 2018

Deployment 

28/9 - 29/9

Engine:57.990002817

• Changed check for update frequency
• Released to gateways (not to cloud emulators).

4 Sep 2018

Deployment 

3/9 - 26/9

Engine:57.990002814

More info about new revisions:

sk135413

• TE Local Emulation for version R80.20 has been changed to version R80.20 GA.
• Fixed an issue with licensing that caused some emulators not to use the full capacity.

13 Aug 2018

Deployment

13/8 - 28/8

Engine:57.990002774

(Cloud 572772)

IMAGE-READY = 234

• TE local Emulation on R80.20 – early availability.
• Improvements of 64bit executable detection.

29/-Jul_18

Deployment

29/7 - 9/8

*****

Revert Engine to 7.2 :57.990002736

Only for part of the appliances

********

Engine:57.990002731

IMAGE-READY = 234

• NEW SandBlast Threat Emulation report. For specific availability details, refer to sk120357
• Error Granularity Manager. For more information, refer to sk132492.

08-Jul-2018

Deployment 

8/7 - 19/7 

Engine:57.990002686

*****

Revert Engine :57.990002736

********

IMAGE-READY = 234

• Added support for macOS file types to both SandBlast Emulation Cloud and locally. For more details see sk130652. 
• Return low confidence in case only few events are seen during emulation of documents.

14-Jun-2018

Deployment: 25/6 - 5/7

Engine:57.990002630

IMAGE-READY = 234

• Apply YARA rules to file types supported by TE. For more details see sk123156.
• Added new supported file types : PowerShell (.ps1) and Batch files (.bat)
• Added new supported file types following recent campaigns: SYmbolic LinK files (.slk ) and Excel Web Query file (.iqy)
• Cache Purger - a mechanism that reduces FP rate for cloud customers (GWs which use the "sharing" feature will also benefit from this mechanism).
• Avoid the scenario where TE stops emulation while the logs continue to write to disk and the emulation enters fail mode. For more details see sk124712. 

Engine:57.990002566

IMAGE-READY = 234

• CADET improves Threat Emulation precision by incorporating all existing Threat Emulation features in Machine Learning (ML) mode. ML is tuned to improve accuracy, increasing the number of threats detected and reducing the number of false positives.
•  Currently, CADET focuses on executable files, and applies only to cloud emulations. 

Threat Prevention by file source URL.

Improved Static Macro analyzer. Improved detection of malicious macros in Office documents.

Improved executable file analysis performance by approximately 40%.

YARA for all file support – Early Availability. This feature is currently off by default. 

New anti-evasion techniques. 

• Additional features in Threat Emulation reports:
• Added tecli command for configuring the malicious file password. Added HTTP attack vector which includes the download source URL and its reputation.
• Added time stamp to the attack vector.
• Added the option to download packet capture.
• Show the entire file path for archive/dropped/embedded descendants.
• Show emulation video instead of static screenshots.

Improved Cloud Emulation queue wait time by approximately 50%.

Engine:

56.990002329

IMAGE_READY = 234

 • Added support for .bat and .cmd files that arrive in mail attachments.

These file types are not available in the Threat Emulation Supported File Types menu.

• Detection improvements and FP reduction

Introduced advanced human simulation – Threat Intelligence group has observed many files in the wild that were using a new evasion technique (implementation in images rev. 234)

• CADET for executable files only – silent mode o

Cadet aims to improve Threat Emulation precision on executable files by transferring all of existing TE features (such as emulation results, reputation, and others) to a AI model tuned to improve accuracy – increase detection and reduce false positive. Cadet is focused preliminary on executable files, and will apply only for cloud emulations at this first stage.

Cadet is currently being deployed in Silent mode – meaning it does not change the verdict on TE.

• FP handling improvement 

Smarter management of global TE Cloud Cache, to increase cached verdict reliability and prevent FP pollution.

Engine: 56.990002262

IMAGE_READY = 226

15 Jan 2018

Deployment:

15/01/18 - 05/02/18

Engine: 56.990002053 More info about new revisions: sk122374

•  Improved detection
  • Added support for 64bit Binaries using live machine learning detection. 64bit Binaries will be emulated on the 64bit images (win 7 64, Win 8.1 64 and Win 10).
• NEW THREAT EMULATION REPORTS - currently in EA and applied for R80.10 - sk120357
• Issues from 6.12 that were released as offline only
  
  • Please see below

 21 Dec 2017

Only offline

Engine: 55.990001865

Images_Ready: 209

File_Types - TE_FILE_TYPES_MAP

Version: 38

• Fixed an issue where the system attempted to emulate non-relevant content types when downloading files from .com domains
• Support for *.xz file type 
• Stability improvements

• Fixed issue related to rare condition in private cloud emulation were files are stuck in uploading state in case the first rule in the policy is not installed on the GW.

Images_Ready: 208 

• New Threat Emulation Reports (currently in EA) - please refer to sk120357
  • Embedded-file drill-down - For emulations of archives, droppers, and documents embedding other files: click on any of the embedded/dropped files with malicious verdict to drill down on its emulation report.
  • Graphic attack vector for SMTP
• Bug fixes and improved detection
  • Fixed an emulation performance issue that affected some customers
  • Improved detection of documents with macros
  • Stability fixes

06 Nov
2017

Engine: 55.990001748

Images_Ready: 207 

•  New Threat Emulation Reports (currently in EA) - please refer to sk120357
  • Support of Archive files - Reports of archive files display a table listing all files in the archive with an individual verdict for each file
  • Support of "Actions"
    • Contact Check Point Incident Response Team
    • Generate a CSV of the emulation activity timeline
• Improved Detection of DDE-based attacks

26 Sep
2017

Engine:

55.990001702

Executable_Analyze:

541553

Images_Ready:

204

• Revolutionized TE reports
  • Beta release - follow sk120357 to enable this feature on R80.10 Security Gateways for PoCs and evaluation.
  • Enriched IOCs – we are extracting many more indicators of compromise from emulation sessions of malicious files and including them in the TE reports.
  • Revised UI and workflow.
    Note: This is work in progress - the new report is not generated by default. The new report can be enabled on R80.10 Security Gateway for PoCs and evaluation.
• Several improvements to some of TE detection engines
  • Improved machine learning model
  • Reduced number of False Positive

13 Aug
2017

Engine:

54.990001557

• Fixed issue regarding embedded link inspection in Private Threat Cloud environments. 
• Fixed unnecessary disk space usage on Security Gateways

09 Aug
2017

Engine:

54.990001312

• Minor bug fixes
• Reduced number of False Positive caused by JS embedded in PDF
• Early Availability of R80.10 support for SandBlast TE250X, TE1000X, TE2000X appliances:
  • To participate, you need to upgrade the SandBlast TEX appliance to R80.10 and make sure that this TE engine is installed
  • Note: Do not use R80.10 on TE100X model at this point.

19 July
2017

Engine:

54.990001309

More info about new revisions:

sk119144

• Performance improvement
  • Improved files processing throughput for Security Gateways sending files to be emulated by SandBlast cloud service or in SandBlast TE appliance deployment. The improvement significantly reduces possible issues caused by queue of files in upload by uploading several files in parallel.
• Improved detection
  • Improved simulation of user interaction
  • Integration with new network reputation service that contains advanced algorithms for improving malware network activity detection.
• License enforcement
  • Validate NGTX license for Security Gateways working with TE appliances and for inline TE appliances - applicable for new TE appliance SKUs launched in October 2017 - sk119133
• Infrastructure for fast OS image update
  • New infrastructure for OS image updates, allowing much smaller updates and much shorter downtime (minutes instead of hours). Image Initialization phase reduced to a few seconds.
• Updated OS Images 
  The new images include general OS improvements and Creators Update for Windows 10:
  • "Win10 64b,Office 2016,Adobe DC"
  • "Win7,Office 2010,Adobe 9.4"
  • "Win7 64b,Office 2010,Adobe 11"
    
    Note: Before upgrading the TE Engine, make sure that you have 160 GB of free disk space!

06 July
2017

Engine:

54.990001252

Fix related to file descriptor leak in logs in R80.10.
For more details, see sk117672.

25 June 2017

Engine:

54.990001250

• Improved detection by Macro analyzer
• Support for TLS 1.2 Jumbo HF
• Reduced scan engine core dumps
• Reduce False positive

Engine:

54.990001196

•  General bug fix 

Engine:

54.990001195

• Security fix: In links inside mail - fix error under load

23 May 2017

Engine:

54.990001194

UID:

Scanengine Package:

64696D61-A095-47E8-B819-3A3A9FF7FC66

Version: 5

• Multiple Remote
  • Multiple Remote was introduced in engine update 6.5, allowing Security Gateways from separate management SIC domains to connect to the same TE appliance.
  • This updated removes several Multiple Remote limitations:
    • Multiple Remote now supports VSX gateways
    • Multiple Remote now supports 64-bit gateways (for more details, refer to sk102309)
• New configuration options
  • Added the ability to configure the maximum number of files, which are extracted from archive for emulation: 
    tecli -> advanced -> archive -> extract -> max_extracted_files_limit -> set Number_0-500
• Ransomware detection
  • Improved detection of ransomware - a new Threat Emulation engine monitors data file tampering within sandbox sessions
• Important bug fixes
  • Fixed scenarios, in which there are missing screenshots in Threat Emulation reports
  • Added support for UTF-8 file names in archives
  • Cleaned up debug logs in ted.elg

06 April 2017

Engine:

54.990001153

UID:

9B2ACBA1-70C0-4C32-AA7F-03F85F67DB09

Version: 2

UID:

10B4A9C6-E414-425C-AE8B-FE4DD7B25244

Version: 4

• Improvements in Early Verdict for prevent (the early verdict provides partial response when the file is malicious)
• Improved support for Multiple Private Cloud Appliances - added support for different management domains (sk102309 - section "(9) Configure Security Gateway to use a remote Threat Emulation Private Cloud Appliance that is managed by a different Management Server")
• Improved detection

12 March 2017

6.4

Engine:

53.990001139

UID:

10B4A9C6-E414-425C-AE8B-FE4DD7B25244

Version: 11

• Windows 10 support - User will be able to emulate non-executable files on Windows 10 64-bit
• Early Verdict for prevent - The early verdict provides partial response when the file is malicious - sk117168
• Improve detection:
  
  • Detection of SHA-1 collision attacks (SHAttered attack - sk116141)
  • Provide detection for PDF with embedded links including phishing attempts
• tecli command improvement - enable/disable internally supported file types
• Bug fixes:
  
  • Reduced false-positives in Macro detection
  • Resolved storage cleanup issues

19 Feb 2017

6.3

Engine:

51.990001127

• Ransomware campaigns detection improvement - new file type supported:
  
  • *.vbs file type in archives attached to e-mail
  • *.wsf file type in archives attached to e-mail
• R80.10 compatibility - TE Engine will now be able to run across multiple Gaia releases.
• Bug fixes Bugs fixes related to "Push Forward" that result in error

16 Jan 2017

6.2

Engine:

48.990000062

WEM_phase_1 - TE_IMAGE

1AFBDE2E-D593-45A8-A686-6CBD42F37823

Version:2

WEM_phase_2 - TE_IMAGE

1B0C5014-714D-47F3-9B10-0B7EE386E745

Version:2

• New:
  
  • "Push Forward" emulation (sk115376)
  • Malicious Macro detection (sk115418)
• Additional fixes:
  
  • Improved stability of CPU Level emulation
  • Reduced emulation errors in CPU Level emulation

28 Nov 2016

6.1.2

Engine:

47.990001022

File_Types - TE_FILE_TYPES_MAP

779739FA-FDB7-473A-9688-8EFAF60A05C2

Version: 37

Executable_Analyzer - TE_EXE_ANALYZER

Version: 471022

• NEW:
  
  • Support for *.cpl file type
  • Support for *.vbs, *.jse, *.vba, *.vbe, *.wsf and *.wsh file types in archives attached to e-mail
• Improved password extraction from e-mail body (special hotfix is required)
• Performance and quality improvements

08 Nov 2016

6.1.1

Engine:

47.990001008

• Security Fix - classifier fix in order to deal with macro enable Office files
• Main bug fixes:
  
  • Engine update - fixed EU6.1 emulator emulating unsupported file types:
    
    • Matter reported/reproduced under the following scenarios: unsupported file types sent through API, ICAP client and Security Gateway running Engine Update 6 with unsupported file types inside archive
  • Core in Hotfix with links during stress tests
  • "tecli advanced archive extract ..." commands were deleted in D6.1 - reverted the change
  • Threat Emulation daemon crash that occurs in stress or in scenarios related to password protected archives.

25 Sep 2016

6.1

Engine:

47.990000102

• Threat Emulation File Analyzer: sk112312
  • Files embedded in documents will be extracted and emulated
  • Ability to block certain embedded files using command line
  • Documents containing Links (URLs) - reputation will be checked using Check Point ThreatCloud
• Encrypted archives: sk112821
  
  • Attempt to decrypt the commonly used archives using a passwords dictionary
  • User defined password phrases support
  • Ability to prevent password protected files in case of decryption failure
    ("Prevent" action will occur only when Emulation Connection Handling Mode is configured to 'Hold')
• NEW: Support for *.com, *.iso archive, and *.js file in archives attached to e-mail
• Independent profile configuration for SandBlast appliance - sending Gateway and SandBlast appliance are not required to carry the same policy
• Executable machine learning detection engine improvements
• In total: 110+ bug fixes and quality improvements

25 Jul 2016

6.0.2

Engine:

46.990000189

• Added support for SHA-256 based certificates for Threat Emulation Engine self-update (sk103839, sk113333)

13 Jun 2016

6.0.1

Engine:

46.990000187

• Check Point response to CVE-2016-3712 and CVE-2016-3710 vulnerability in QEMU
• Bug fix in update routine for VSX deployments

25 Apr 2016

6

Engine:

46.990000181

Images:

UID: 3FF3DDAE-E7FD-4969-818C-D5F1A2BE336D, Revision: 14

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 22

UID: 6c453c9b-20f7-471a-956c-3198a868dc92, Revision: 15

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 53

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 24

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 53

• NEW: 64-bit OS images - Windows 8.1 and Windows 7
• NEW: Detecting links to malicious files inside e-mails (refer to sk115313)
• NEW: SMEP Detection - detect privilege escalation attempts
• NEW: Support for *.gz and *.bz2 archives
• Improved file classification
• Enhanced malicious executable detection:
  
  • User Access Control - Detect malicious attempts to bypass the Windows UAC mechanism
  • Icon similarity - Detect executables whose program icon is similar to known application documents
  • Machine learning detection engine improvements
• Deep scan:
  
  • Significant memory usage reduction for Anti-Virus deep scan (requires a hotfix - will be available soon)
  • Integrated additional deep scan capabilities in TE
• Images initialization duration improvements
• Bug fixes and quality improvements:
  
  • CPU-level engine - reduced FPs, improved stability
  • Solved cluster fail overs due to TE blade
  • Improved JAR static analysis
• In total: 190+ features and bug fixes

17 Apr 2016

5.1.1.1

Engine:

44.990000115

• Update routine improvements

20 Jan 2016

5.1.1

Engine:

44.990000110

• Check Point response to CVE-2016-1714 - see sk109700

16 Nov 2015

5.1

Engine:

[8 Dec]: 44.990000107

[16 Nov]: 44.990000099

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 50

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 20

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 22

• NEW: Optimized OS images for improved detection
• NEW: recommended OS image carrying up-to-date software for enhanced detection
• Bug fixes and quality improvements:
  
  • Confidence level for executable files
  • Performance degradation when using Hybrid mode

25 Aug 2015

5

Engine:

[7 Sep]: 43.990000082

[25 Aug]: 43.990000078

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 49

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 19

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 21

• NEW: CPU level Threat Prevention:
  
  • Supported on TE100X, TE250X, TE1000X and TE2000X appliances
  • Hotfix from sk107333 may be required after updating the engine
• NEW: Support for *.pif file type
• Improvements in detection ratio
• Bug fixes and quality improvements

30 Jul 2015

4.1

Engine:

24.990000258

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 45

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 47

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 17

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 19

• NEW: Public API for emulation services
• NEW: Network based detection
• NEW: Threat Cloud advisory
• NEW: Support for *.cab and *.tgz archives
• NEW: Full ZIP archive scanning
• NEW: Dropped files emulation
• Improvements in detection ratio of *.exe
• Improvements in stability - persistent file emulation queue
• Bug fixes and performance improvements

14 May 2015

4.0.1

Engine:

24.990000010

• Check Point response to CVE-2015-3456 (VENOM) - see sk106060

15 Feb 2015

4

Engine:

24.990000009

Images:

UID: 5e5de275-a103-4f67-b55b-47532918fa59, Revision: 15

UID: 7e6fe36e-889e-4c25-8704-56378f0830df, Revision: 45

UID: 8d188031-1010-4466-828b-0cd13d4303ff, Revision: 16

UID: e50e99f3-5963-4573-af9e-e3f4750b55e2, Revision: 44

• NEW: Support for Flash file type
• NEW: Support for Java file type
• Improvements in detection of *.exe and *.scr files by adding behavioral features and using a decision mechanism that is based on a machine learning model
• VSX improvements
• Support for SHA256 as part of the logging information
• Added the TTL mechanism to the local cache on the Security Gateway
• Bug fixes

03 Sep 2014

Engine:

• NEW: Support of Multiple Private Cloud Appliances - see sk102309
• NEW: Support for *.scr file type
• NEW: Skipping emulation for known good files according do domains and certificates
• New version of the Static analysis mechanism
• Stability fixes - Enhanced handling of files, which generate extensive forensics data/reports

27 Apr 2014

Engine:

• NEW: Support for archive caching
• NEW: Support for dropping of archive files that contain certain file types
• NEW: Better file classification abilities
• NEW: Enhanced detection of emulation process tampering
• Stability fix - Possible memory leak in certain circumstances

06 Feb 2014

Engine:

• NEW: Support for executable emulation
• NEW: Support for archives (ZIP, RAR, TAR and 7z)
• NEW: Anti-evasion capabilities against malware that tries to detect its execution in a sandbox
• NEW: Better detection capabilities
• Stability fixes

29 Dec 2013

Engine:

• NEW: Support for GEO restriction (for details, refer to sk97877)
• Stability fix for supporting new emulation images
• Stability fix for the Engine Update itself

25 Nov 2013

Engine:

• Gradual upgrade support
• Stability fix for Local Emulations - when using large number of emulation machines (more than 33), the emulation machines will stop responding
• Fixed a condition where DNS resolving can cause emulations to fail

13 Oct 2013

Engine:

• Fixing a possible bug in communication from Security Gateway to Cloud

02 Oct 2013

Engine:

• Stability fix for the Emulators of local and private cloud when dealing with malicious files
• More efficient Cloud Service communication
• Enhancing availability and stability of the Cloud Service
• Fixed confusing log events in the SmartView Tracker