Support Center > Search Results > SecureKnowledge Details
Threat Emulation Engine Release Updates Technical Level

This article lists all new items and fixes for each Threat Emulation Engine Update. It is updated each time a new Engine Update is released.

To check the current version of Threat Emulation Engine Update, run one of these commands:

  • [Expert@HostName]# tecli advanced engine version

  • [Expert@HostName]# cat $FWDIR/teCurrentPack/te_ver.ini

To check the current version of Threat Emulation Image, run:

  • [Expert@HostName]# tecli show downloads images

For the latest Threat Emulation malware detection rules, refer to sk117672 - How to update the Threat Emulation malware detection rules.

For file types supported in Threat Emulation, refer to sk106123.

List of Resolved Issues and Enhancements per Release

Date Release Engine Version What's New
24 Nov 2022 10.34


Changes since 10.27:
  • Updated certificate whitelist
  • improving detection models for exe, office & pdf files
  • Improvements in Yara engine
  • Enhanced Trusted Sources
  • Fixed a rare crash that happens during Threat Emulation daemon shutdown
  • Enhanced detection of office documents containing malicious URLs
29 Mar 2022 10.26


  • Threat Emulation Cloud Dedicated to UK - Gateways can be configured so that files are sent for emulation (sandboxing) only in a specific country, to meet regulatory requirements and other privacy concerns. This update now includes the ability to restrict emulations to United Kingdom. To restrict your gateway’s emulations to a specific country, follow the instructions in sk97877
  • Added detection enhancements and code improvements.
8 Mar 2022 10.25


  • Added detection enhancements and code improvements.
5 Apr 2022 10.24


  • Local Threat Emulation now supports Internet-connected sandboxes to prevent multi-stage attacks at the earliest stage. The full infection chain is analyzed and is presented in the MITRE ATT&CK Matrix visualization in the Threat Emulation report.
    • See sk178289 for enabling Internet access for Local Threat Emulation. 
    • Example of Threat Emulation report for prevented multi-stage attack can be found here.
  • Added detection enhancements and code improvements.
8 Mar 2022 10.23
(includes content of 10.22)


  • New Neural Network for Microsoft Office files
    • Improvement of catch rate to 97% and improved accuracy.
  • New anti-evasion file download technique.
4 Jan 2022 10.21


  • Threat Emulation Engine releases public API version 2. Main changes:
    • Requires requests to use SHA-256 hash.
    • Removes deprecated fields from the Threat Emulation API Found response.
8 Dec 2021 10.20


  • New sandbox image
    • Support for dynamic DLL emulation.
    • Catch rate and performance enhancements .
  • New Neural Network for PDF files.
    • Improvement of catch rate to 97% and improved accuracy.
  • YARA based detection rules now supports .sh file type.
10 Nov 2021 10.19


  • Enhanced catch rate and code improvements.
10 Oct 2021 10.18


  • Added detection enhancements and code improvements.
17 Aug 2021 10.17


  • Added detection enhancements and code improvements.
14 Jul 2021 10.16


  • Added detection enhancements and code improvements.
30 May 2021 10.15


  • In a continuous race for the highest security and uncompromised productivity for our customers, we are excited to introduce improved AI-based detection capabilities for executable files. This new model provides customers with better security with less business impact by improving on the already high detection rate and already very low false alarms rate even further. The new AI model also allows customers more efficient prioritization and risk assessment of security events by increasing the Confidence level accuracy.
28 Apr 2021 10.14


  • Threat Emulation sandbox enhanced with new heuristics for Qbot malware detection and various code improvements.
30 Mar 2021 10.13


  • Added detection enhancements and code improvements.
24 Feb 2021 10.12


  • Added detection enhancements and code improvements.
2 Feb 2021 10.11


  • Threat Emulation sandbox enhanced with advanced anti-evasion techniques to improve prevention of malware that tries to detect emulation and hide its malicious activities.
    • This enhancement applies to all platforms and all TE vectors: Web download, MTA, CloudGuard SaaS, SBA, APIs.
29 Dec 2020 10.10


  • Added detection enhancements and code improvements.
17 Dec 2020 10.9


  • Uses Internet-connected sandboxes to prevent multi-stage attacks at the earliest stage. The full infection chain is analyzed and is presented in the MITRE ATT&CK Matrix visualization in the Threat Emulation report. 
    • This new capability is supported on all cloud platforms and all Threat Emulation vectors: Web download, MTA, CloudGuard SaaS, SBA, APIs.
    • Example of Threat Emulation report for prevented multi-stage attack can be found here.
12 Nov 2020 10.8


  • Added detection enhancements and code improvements.
28 Oct 2020 10.7


  • Threat Emulation Engine support for R81 Check Point Infinity
    • Important note: R81 based emulators and appliances only support Threat Emulation engine 10.7 or higher. Internet-connected gateways are automatically updated to the new engine unless automatic updates are disabled. To manually update gateways refer to sk92509.
  • Threat Emulation Cloud Dedicated to China and Australia - Gateways can be configured so that files are sent for emulation (sandboxing) only in a specific country, to meet regulatory requirements and other privacy concerns. This update now includes the ability to restrict emulations to China or Australia. To restrict your gateway’s emulations to a specific country, follow the instructions in sk97877
30 Sep 2020 10.5


  • Improved the time to get a verdict for CSV files by 50%
  • Reduced false positive rate for dropped files (to near 0%)
  • In addition to the existing support for password protected archives, Threat Emulation now supports scanning of password protected Microsoft Office and PDF documents, using password guess techniques:
    • Commonly used password dictionary
    • Password from email context (subject, body text, attachment names)
    • Custom password list (see sk112821 for configuration instructions)
    • Support for all TE vectors: Web download, MTA, CGSaaS, SBA, APIs
12 Jul 2020 10.2


  • Uses Neural Networks and Deep Learning to improve detection of executable files by 2%.
  • The reduction in the false positive detection rate of executable files is 50%.
  • Improved detection of obfuscated macros in Microsoft Office files.
  • Detection rules for widely spread HTML-based threats, including:
    • Nemucod ransomware
    • JS crypto-miners in HTML
    • Portable executables embedded inside HTML documents

  • Enhancements:
    • Fixes an issue where a manual  offline update of the Threat Emulation engine may flag safe documents as malicious.
    • Enhanced reporting of errors in the Threat Emulation API: If an error occurred during the emulation, Threat Emulation API returns a detailed description of the error, including the engine version number. This new addition allows for better troubleshooting as well as granular actions by the API client, depending on the error that occurred. For more information, see sk167161.
    22 May 2020 9.7


    • Local Threat Emulation is now supported on R80.40
    • Performance Improvement - Verdicts for unknown files now arrive 10-20% faster
    • Stability improvements - emulation timeouts are  even less likely to happen (80% improvement)
    • Various improvements to detection rate and reduction of false positive rate
          01 Apr 2020 9.6


          • Reduced False Positive verdicts about documents. (This is done by querying additional external resources before lowering Confidence)
          • Added ability to add YARA based exceptions in documents flow overriding verdict for specific cases
          • Enhanced handling of malware that tries to determine that it is running in a virtual machine to evade sandboxing
          • New images were released for sandbox VMs, with performance improvements of the sandbox
          23 Feb 2020 9.5


          • MITRE in TE report - fixed minor UI issues in the MITRE ATT&CK section in the Threat Emulation Summary Report
          • Emulation platform enhancement - fixed issues that can cause an emulation to fail in rare cases
          • Anti-evasion - enhanced handling of malware trying to determine that they run in virtual machines to evade sandboxing
          13 Jan 2020 9.4 


          More information about new revisions: sk135413

          • CVE Reference in Reports - The Threat Emulation Summary Report now includes a reference to the CVE used by the malic.
          • MITRE ATT&CK information in the log card - since engine update 9.0, the Threat Emulation Findings report contains a MITRE ATT&CK section, detailing the different techniques detected in the malicious file.
            Starting engine update 9.4, this information is also available in the log card.
            This update allows admin to better understand the attack looking at the log card, as well as exporting this data to external SIEM systems and easy search and filtering of attack events based on MITRE fields.
          • Export Threat Detailed Report to logs and external SIEM systems. Threat Emulation Report data details are now exported to logs and external SIEM systems and provide ease of search and filtering based on MITRE related data.
          11 Dec 2019 9.3


          • Enhanced Prevention of Zero-Day Malicious Documents - Rebuilt some of the emulation engines for Microsoft Office and Adobe PDF documents, to increase the catch rate and return malicious verdicts much faster.
          • More Granular Error Management – Added the ability to configure a specific failure mode (fail-open / fail-close) for cases in which emulation fails due to the file being non-supported. For more information, refer to sk132492.
          19 Nov 2019 9.2


          More information about new revisions: sk135413

          • New Archive File Type Support - The following archive file types are now supported: LZH, ARJ, CPIO, AR.
          • Fixed a bug that can cause incorrect values in the Verdict log field for files extracted from archives.
          • Fixed a bug causing Threat Emulation not to treat encrypted PDFs according to the policy and always fail their emulation.
          • Fixed a bug that can cause archive files of unsupported types to be mistakenly marked as malicious by Threat Emulation.
          • Fixed some small UI bugs in the MITRE ATT&CK part of the Threat Emulation report. 
          30 Oct 2019 9.1


          More info about new revisions: sk135413

          • New Archive File Type Support - the new engine supports the following archive file types when password-protected: RPM, WIM, CHM, LZH, MSI, ARJ, CPIO, AR, CramFS, QCW2, UDF
          • Replacing the Threat Emulation API Certificate - administrators can now upload their own certificate to be used for Threat Emulation API calls to their Threat Emulation appliance. For more information, refer to sk160693.
          15 Sep 2019 9.0


          More info about new revisions: sk135413

          • MITRE ATT&CK reporting - the Threat Emulation Forensics Report now includes a detailed MITRE ATT&CK Matrix with the detected adversary tactics and techniques for every executable file found to be malicious.

          • Enhanced Support for Archive Files - this engine release includes significant improvements in handling archive files. Improvements include:
            • All supported file types, including .7z and .rar, are now also supported when password-protected. For more details, refer to sk112821
            • Improved mechanism to automatically "guess" passwords when opening password-protected archives for emulation.
            • Added support for password-protected archives, using Unicode characters in the password.
            • Many newly supported archive formats - WIM, CHM, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, MBR, MSI, NSIS, NTFS, QCOW2, RPM, SquashFS, UDF, UEFI,VDI, VHD, VMDK (starting from TE engine version 9.1).
          • Stability improvements
          28 Aug 2019 8.8


          More info about new revisions: sk135413

          • Faster delivery of emulation verdict for documents in which files are embedded.
          • Various code improvements
          7 Aug 2019 8.7


          • Enhanced Anti-Evasion - Several improvements to the emulation’s human impersonation, making it even more resistant to modern evasion techniques.

          • Faster Emulation of Documents - Emulations of Microsoft Office and Adobe PDF files now take significantly less time, allowing for enhanced productivity due to faster verdicts for malicious file and most importantly, benign files.
          10 Jul 2019 8.6


          revisions: sk135413

          Enhanced Support for Password-Protected Documents

          • Administrators can now configure a default action for password-protected documents, so that if those files reach emulation, they are allowed or blocked by default. To configure the default action, follow the instructions in sk132492.
          • Performance and stability improvements for cloud emulations.
          5 Jun 2019 8.5 58.990000788
          • Attachments from Nested MSG Files - Threat Emulation now supports emulating files that are attached to MSG files that are themselves attached to other MSG files.
          5 Jun 2019 8.4.2 58.990000741
          • Deployment only to the appliances.

          13 May 2019


          8.4 58.990000732


          More info about new revisions: sk135413

          New Features

          Enhanced Logging for Emulated Archive Files

          Until this update, emulation of archive files generated a single log on and for the archive file itself. With this release:

          • The archive file log includes the names of all the files inside it.
          • A new log is generated for every file extracted from the archive with its emulation results. This log contains the name of the archive file, so that logs are correlated easily between the archive file and between those of the files it contains.

          Detailed Malware Behavior Report

          SOC teams investigating a detected malicious file via the Emulation Details report can now download a detailed malware behavior report. The report contains general information about the emulated file, as well as all observed activities such as processes opened, API calls initiated, registry events, etc. To download this report, click on the left download icon ( ) in the Emulation Details report, under the Advanced Forensics section.

          Improvements and Enhancements

          Enhanced Anti-Evasion Techniques

          Improved detection and prevention of malware files employing evasion techniques. The improvements include:

          • Enhanced human interaction simulation
          • Enhanced detection of malware initiated after the malicious file is closed.
          • Enhanced handling of malware creating a large amount of API calls to overload the emulator.
          • Enhanced handling of malware trying to check if the file is run in a virtualized environment
          • Fixed an issue causing password-protected archives not to be emulated even though the password for the file is located in the email body. This issue can occur if the archive file was attached to emails with multi-part bodies. The most common example is an email body combining pictures and text.
          Important License Enforcement Note

          As previously announced, the grace period for the Threat Emulation license enforcement is over. Starting with this emulation engine update, a valid NGTX license must be installed on the Gateway for Threat Emulation and Threat Extraction to work properly. Gateways without the required license receive the following warning log: "Warning: NGTX license is required for the gateway to enable Threat Emulation. To ensure uninterrupted operation, please update the gateway device with a valid license. Please read through sk140212 to make sure you properly set up the system with the required licenses."

          31 Mar 2019


          31/3 - 22/4



          More info about new revisions: sk135413

          New Feature: Enhanced Classification of Malware Families

          A key part of understanding detected malware, its potential damage, and steps for its remediation, is its classification in a malware family.

          This release includes a new machine learning engine that improves this classification, making it faster and more accurate.

          • The new engine utilizes two novel algorithmic approaches for detecting and identifying unknown malware samples and families. The first layer is the application of an unsupervised clustering technique on the behavioral feature space produced by Threat Emulation for detecting sample similarities in behavioral pattern space.
          • The second layer is based on an active learning method, which represents the discovered patterns in a way that allows you to combine information form threat research analysts, inject threat intelligence information into the algorithm, and use it to identify unknown malware families and new variants of known ones. This method allows for the combining of behavioral analysis and threat intelligence into one unified detection operation.

          Enhanced Emulation of EXE files

          A new Threat Emulation engine dedicated to dynamically determining the required emulation time, improving the handling of malicious executable files that take time to start their malicious activity.

          7 Mar 2019


          7/3 - 25/3

          8.2 58.990000492

          More info about new revisions: sk135413

          • NEWEnhanced Emulation for non-Supported File Types:

            This release introduces a new and easy way to enable Threat Emulation (TE) on file types that are not supported by default. Administrators can now also configure the vector in which TE will run on these file types – Email, Web or both. Refer to sk149292 for more information. 

          14 Feb 2019


          14/2 - 28/2



          More info about new revisions: sk135413

          New Features:

          • Enhanced prevention for attacks in all vectors with .LNK malicious files. These files can now be emulated both using local Threat Emulation Appliances and using the cloud service to provide maximum protection.
          • Enhanced sandboxing (emulation) of Microsoft Office files, utilizing a new Machine Learning engine. The new engine extractsVBA code from the document file, then generate powerful expert-designed features, and feeds them to the Machine Learning model that predicts maliciousness. It is based on a classic ML ensemble method called Random Forest

          16 Jan 2019



          8.0 58.990000298 

          More info about new revisions: sk135413

          New Features:

          Enhanced Visibility on "Malware DNA" Analysis.

          With this release, security personnel can better understand the analysis performed on the malware and the reasons for the file being flagged as malicious.

          The Threat Detail report now includes Malware DNA, a deep dive into different similarities it presents to known malware families. The enhanced analysis includes:

          • Behavioral similarities with other malware familiesCode structure, similarities with other malware familiesFile, similarities with other malware familiesPatterns of connection attempts to malicious websites and C&C servers similar to other malware families.
          • Malware DNA employs a novel technique to detect malicious code at the lowest level representation - the machine-code level. By extracting the binary representation of malicious code from known malware and representing it in generalized form, Malware DNA is able to detect unique code, code re-use and code permutations of unknown and future threats. Moreover, Malware DNA technology makes it possible to detect threats embedded in otherwise benign software even if the malicious code only runs in very specific and rare situations. By identifying known code inside the executable, Malware DNA is able to segregate and classify parts of an executable and trace the code to its origin.
          • Malware DNA employs a range of techniques that render it resistant to code permutations, compiler optimizations and other changes to code that do not change code semantics.
          • Unlike other malware detection technologies, Malware DNA is not based on signatures, sandbox or anomaly detection. It's an ultra-fast static engine which is not susceptible to evasion techniques.

          24 Dec 2018





          More info about new revisions: sk135413

          New Features:

          • Expanded Anti-Virus via Threat Prevention API support for local Threat Emulation appliances and Threat Prevention API for Anti-Virus deep scans. The new feature provides the ability to run a full AV Deep-scan using a Threat Emulation appliance. For additional details and instructions. refer to the Threat Prevention API Reference Guide

          • Policy Restriction Handling Control system behavior. By applying user defined restrictions, the following restriction would be supported:
            • Archive extraction error - Define and handle archive relate policies.
            • Max number of files - Define max number of files the system archive.

          • Dynamic Detection Machine Learning. Adds a machine learning model that uses dynamic emulation output, specifically the API calls performed by the analyzed executable, to detect malware. It uses machine-generated features as well as sophisticated features hand-crafted by domain experts and world-class malware researchers, and leverages and constantly updates state-of-the-art anti-evasion techniques. The machine learning is trained frequently on real production data, making its relevant, customer-facing detection rate superior to previous generations of dynamic detection schemes while maintaining a very low false discovery rate. It is the most important component of our in-house detection capabilities.

          • Licensing Enforcement starting with Threat Emulation engine version 7.9. The Gateway device will also now validate the existence of a valid NGTX license when using a SandBlast appliance for emulation. However, there are some exceptions. so refer to sk140212 for details.

          Improvements and Enhancements:

          • Customized YARA signatures: Enable deployment of dynamic custom behavioral in the Gateway. 
          • Improve detection of URL reputation by adding context data to a URL rep request and identifying the file that caused the activity.

          18 Nov 2018


          18/11- 12/12

          7.8 58.990000075 

          More info about new revisions: sk135413

          • Introducing new detection engine - IP reputation: Preemptively reject requests that are coming from or sent to IP addresses marked as malicious, by Check Point's constant malware research activities. This engine is protocol agnostic and can detect and prevent any communication protocol.
          • Introducing CADET for local emulation - CADET (Context-Aware Detection and Elimination of Threats), Check Point's newest and successfully proven AI-based technology, is now available across all SandBlast deployment options (cloud and on premise). Check Point's CADET technology continuously evolves and adapts to the changing threat landscape using machine learning to offer best in the market detection accuracy.
          • Threat emulation reports now include traffic capture logs. A detailed traffic log is now available for download directly from the emulation reports, allowing users visibility of suspicious network traffic generated by examined files.
          • New Threat Emulation reports are now available via a consolidated API: a newly aligned and consolidated public API for new Threat Emulation reports for both cloud and premise (appliance) environments.
          • Note: backwards compatibility is supported using the "reports_version_number" field. Additional information is available in the Threat Prevention API documentation: Threat Prevention API 1.0 Reference Guide.

          15 Oct 2018


          15/10 - 26/11



          More info about new revisions: sk135413

          • New AI powered detection engines for malware detection in documents: Our Machine just learned how to improve detection accuracy in documents. The technique used includes a combination of our techniques for CPUL and OS level emulation and machine learning algorithms to improve significantly the detection accuracy while reducing false positives. 
            Note: new AI Model will initially be deployed in Threat Prevention cloud only. On-premise deployments will be supported in a later release.
          • R80.10 (Jumbo HF 151) supported by TEX appliances. Support for DLL files in TE (requires Image revision 247). DLL files are emulated in a way similar as in executable files.
          • Improved detection using behavioral machine learning to detect threats in executable files. Advanced automated machine learning using millions of samples to improve the accuracy of the executable behavioral machine learning detection. 
          • Detection Improvement - CADET – updated machine learning model for executable files.  Incorporates new data sources from our latest engine improvement into the decision making of Cadet. This allows improvement in detection accuracy.
          • Introducing a new detection engine that examines files similarity. This allows for better classification of malware family to understand the nature of the attack.
          • Update frequency algorithm improved (more frequent updates).
          • Improved performance of TE GC (cleanup script).
          • Bug fixes: Fixed an issue that caused TE to restart when the cache is full. 
          07 Oct 2018



          7.5 57.990002818
          • Remove writing to the cloud emulator local cache.
          • Changed check for update frequency.
          • Released to cloud emulators (not to gateways).

          28 Sep 2018


          28/9 - 29/9

          7.5 57.990002817
          • Changed check for update frequency
          • Released to gateways (not to cloud emulators).

          4 Sep 2018


          3/9 - 26/9



          More info about new revisions: sk135413

          • TE Local Emulation for version R80.20 has been changed to version R80.20 GA.
          • Fixed an issue with licensing that caused some emulators not to use the full capacity.

          13 Aug 2018


          13/8 - 28/8



          (Cloud 572772)

          IMAGE-READY = 234

          • TE local Emulation on R80.20 – early availability.
          • Improvements of 64bit executable detection.

          29 Jul 2018


          29/7 - 9/8


          Revert Engine to 7.2 :57.990002736

          Only for part of the appliances


          IMAGE-READY = 234

          • NEW SandBlast Threat Emulation report. For specific availability details, refer to sk120357
          • Error Granularity Manager. For more information, refer to sk132492.

          08 Jul 2018


          8/7 - 19/7



          Revert Engine :57.990002736

          IMAGE-READY = 234

          • Added support for macOS file types to both SandBlast Emulation Cloud and locally. For more details see sk130652
          • Return low confidence in case only few events are seen during emulation of documents.

          14 Jun 2018


          Deployment: 25/6 - 5/7



          IMAGE-READY = 234

          • Apply YARA rules to file types supported by TE. For more details see sk123156.
          • Added new supported file types : PowerShell (.ps1) and Batch files (.bat)
          • Added new supported file types following recent campaigns: SYmbolic LinK files (.slk ) and Excel Web Query file (.iqy)
          • Cache Purger - a mechanism that reduces FP rate for cloud customers (GWs which use the "sharing" feature will also benefit from this mechanism).
          • Avoid the scenario where TE stops emulation while the logs continue to write to disk and the emulation enters fail mode. For more details see sk124712
          23 May 2018 7


          IMAGE-READY = 234

          CADET (Context-Aware Detection and Elimination of Threats)
          • CADET improves Threat Emulation precision by incorporating all existing Threat Emulation features in Machine Learning (ML) mode. ML is tuned to improve accuracy, increasing the number of threats detected and reducing the number of false positives.
          •  Currently, CADET focuses on executable files, and applies only to cloud emulations. 

          Threat Prevention by file source URL.

          Improved Static Macro analyzer. Improved detection of malicious macros in Office documents.

          Improved executable file analysis performance by approximately 40%.

          YARA for all file support – Early Availability. This feature is currently off by default. 

          New anti-evasion techniques. 

          • Additional features in Threat Emulation reports:
          • Added tecli command for configuring the malicious file password. Added HTTP attack vector which includes the download source URL and its reputation.
          • Added time stamp to the attack vector.
          • Added the option to download packet capture.
          • Show the entire file path for archive/dropped/embedded descendants.
          • Show emulation video instead of static screenshots.

          Improved Cloud Emulation queue wait time by approximately 50%.

            04 Apr 2018 6.15


            IMAGE_READY = 234

            •  Added support for .bat and .cmd files that arrive in mail attachments. These file types are not available in the Threat Emulation Supported File Types menu.
            • Detection improvements and FP reduction.
              Introduced advanced human simulation – Threat Intelligence group has observed many files in the wild that were using a new evasion technique (implementation in images rev. 234)
            • CADET for executable files only - silent mode
              • Cadet aims to improve Threat Emulation precision on executable files by transferring all of existing TE features (such as emulation results, reputation, and others) to a AI model tuned to improve accuracy – increase detection and reduce false positive. Cadet is focused preliminary on executable files, and will apply only for cloud emulations at this first stage.
                Cadet is currently being deployed in Silent mode - meaning, it does not change the verdict on TE.
            • FP handling improvement - Smarter management of global TE Cloud Cache, to increase cached verdict reliability and prevent FP pollution.
            04 Mar 2018 6.14


            IMAGE_READY = 226

             Prohibited file types   - Enables configuration of blocking file type  sk123140

            15 Jan 2018


            15/01/18 - 05/02/18



            More info about new revisions: sk122374


            •  Improved detection
              • Added support for 64bit Binaries using live machine learning detection. 64bit Binaries will be emulated on the 64bit images (win 7 64, Win 8.1 64 and Win 10).
            • NEW THREAT EMULATION REPORTS - currently in EA and applied for R80.10 - sk120357
              • Issues from 6.12 that were released as offline only
                • Please see below

               21 Dec 2017

              Only offline



              Images_Ready: 209

              File_Types - TE_FILE_TYPES_MAP

              Version: 38

              • Fixed an issue where the system attempted to emulate non-relevant content types when downloading files from .com domains
              • Support for *.xz file type
              • Stability improvements
              13 Dec
              6.11.2 55.990001820
              • Fixed issue related to rare condition in private cloud emulation were files are stuck in uploading state in case the first rule in the policy is not installed on the GW.
              22 Nov



              6.11.1 55.990001819


              Images_Ready: 208

              • New Threat Emulation Reports (currently in EA) - please refer to sk120357
                • Embedded-file drill-down - For emulations of archives, droppers, and documents embedding other files: click on any of the embedded/dropped files with malicious verdict to drill down on its emulation report.
                • Graphic attack vector for SMTP
              • Bug fixes and improved detection
                • Fixed an emulation performance issue that affected some customers
                • Improved detection of documents with macros
                • Code improvements

              06 Nov



              Images_Ready: 207

              • New Threat Emulation Reports (currently in EA) - please refer to sk120357
                • Support of Archive files - Reports of archive files display a table listing all files in the archive with an individual verdict for each file
                • Support of "Actions"
                  • Contact Check Point Incident Response Team
                  • Generate a CSV of the emulation activity timeline
                • Improved Detection of DDE-based attacks

                  26 Sep







                  • Revolutionized TE reports
                    • Beta release - follow sk120357 to enable this feature on R80.10 Security Gateways for PoCs and evaluation.
                    • Enriched IOCs – we are extracting many more indicators of compromise from emulation sessions of malicious files and including them in the TE reports.
                    • Revised UI and workflow.
                      Note: This is work in progress - the new report is not generated by default. The new report can be enabled on R80.10 Security Gateway for PoCs and evaluation.
                  • Several improvements to some of TE detection engines
                    • Improved machine learning model
                    • Reduced number of False Positive

                  13 Aug



                  • Fixed issue regarding embedded link inspection in Private Threat Cloud environments. 
                  • Fixed unnecessary disk space usage on Security Gateways

                  09 Aug



                  • Minor code improvements
                  • Reduced number of False Positive caused by JS embedded in PDF
                  • Early Availability of R80.10 support for SandBlast TE250X, TE1000X, TE2000X appliances:
                    • To participate, you need to upgrade the SandBlast TEX appliance to R80.10 and make sure that this TE engine is installed
                    • Note: Do not use R80.10 on TE100X model at this point.

                    19 July



                    More info about new revisions: sk119144

                    • Performance improvement
                      • Improved files processing throughput for Security Gateways sending files to be emulated by SandBlast cloud service or in SandBlast TE appliance deployment. The improvement significantly reduces possible issues caused by queue of files in upload by uploading several files in parallel.
                    • Improved detection
                      • Improved simulation of user interaction
                      • Integration with new network reputation service that contains advanced algorithms for improving malware network activity detection.
                    • License enforcement
                      • Validate NGTX license for Security Gateways working with TE appliances and for inline TE appliances - applicable for new TE appliance SKUs launched in October 2017 - sk119133
                    • Infrastructure for fast OS image update
                      • New infrastructure for OS image updates, allowing much smaller updates and much shorter downtime (minutes instead of hours). Image Initialization phase reduced to a few seconds.
                    • Updated OS Images 
                      The new images include general OS improvements and Creators Update for Windows 10:
                      • "Win10 64b,Office 2016,Adobe DC"
                      • "Win7,Office 2010,Adobe 9.4"
                      • "Win7 64b,Office 2010,Adobe 11"

                        Note: Before upgrading the TE Engine, make sure that you have 160 GB of free disk space!

                    06 July



                    Fix related to file descriptor leak in logs in R80.10.
                    For more details, see sk117672.

                    25 June 2017



                    • Improved detection by Macro analyzer
                    • Support for TLS 1.2 Jumbo HF
                    • Reduced scan engine core dumps
                    • Reduce False positive
                    15 June 2017 6.6.2


                    • General code improvements
                    06 June 2017 6.6.1


                    • Security fix: In links inside mail - fix error under load

                    23 May 2017




                    Scanengine Package:


                    Version: 5

                    • Multiple Remote
                      • Multiple Remote was introduced in engine update 6.5, allowing Security Gateways from separate management SIC domains to connect to the same TE appliance.
                      • This updated removes several Multiple Remote limitations:
                        • Multiple Remote now supports VSX gateways
                        • Multiple Remote now supports 64-bit gateways (for more details, refer to sk102309)
                    • New configuration options
                      • Added the ability to configure the maximum number of files, which are extracted from archive for emulation: 
                        tecli -> advanced -> archive -> extract -> max_extracted_files_limit -> set Number_0-500
                    • Ransomware detection
                      • Improved detection of ransomware - a new Threat Emulation engine monitors data file tampering within sandbox sessions
                    • Important code improvements
                      • Fixed scenarios, in which there are missing screenshots in Threat Emulation reports
                      • Added support for UTF-8 file names in archives
                      • Cleaned up debug logs in ted.elg

                    06 April 2017





                    Version: 2



                    Version: 4

                    • Improvements in Early Verdict for prevent (the early verdict provides partial response when the file is malicious)
                    • Improved support for Multiple Private Cloud Appliances - added support for different management domains (sk102309 - section "(9) Configure Security Gateway to use a remote Threat Emulation Private Cloud Appliance that is managed by a different Management Server")
                    • Improved detection

                    12 March 2017





                    Version: 11

                    • Windows 10 support - User will be able to emulate non-executable files on Windows 10 64-bit
                    • Early Verdict for prevent - The early verdict provides partial response when the file is malicious - sk117168
                    • Improve detection:
                      • Detection of SHA-1 collision attacks (SHAttered attack - sk116141)
                      • Provide detection for PDF with embedded links including phishing attempts
                    • tecli command improvement - enable/disable internally supported file types
                    • Bug fixes:
                      • Reduced false-positives in Macro detection
                      • Resolved storage cleanup issues

                    19 Feb 2017



                    • Ransomware campaigns detection improvement - new file type supported:
                      • *.vbs file type in archives attached to e-mail
                      • *.wsf file type in archives attached to e-mail
                    • R80.10 compatibility - TE Engine will now be able to run across multiple Gaia releases.
                    • Code improvements related to "Push Forward" that result in error

                    16 Jan 2017



                    WEM_phase_1 - TE_IMAGE




                    WEM_phase_2 - TE_IMAGE



                    • NEW:
                    • Additional fixes:
                      • Improved stability of CPU Level emulation
                      • Reduced emulation errors in CPU Level emulation

                    28 Nov 2016



                    File_Types: TE_FILE_TYPES_MAP


                    Version: 37



                    Version: 471022

                    • NEW:
                      • Support for *.cpl file type
                      • Support for *.vbs, *.jse, *.vba, *.vbe, *.wsf and *.wsh file types in archives attached to e-mail
                    • Improved password extraction from e-mail body (special hotfix is required)
                    • Performance and quality improvements

                    08 Nov 2016



                    • Security Fix - classifier fix in order to deal with macro enable Office files
                    • Code improvements:
                      • Engine update - fixed EU6.1 emulator emulating unsupported file types:
                        • Matter reported/reproduced under the following scenarios: unsupported file types sent through API, ICAP client and Security Gateway running Engine Update 6 with unsupported file types inside archive
                      • Core in Hotfix with links during stress tests
                      • "tecli advanced archive extract ..." commands were deleted in D6.1 - reverted the change
                      • Threat Emulation daemon crash that occurs in stress or in scenarios related to password protected archives.

                      25 Sep 2016



                      • Threat Emulation File Analyzer: sk112312
                        • Files embedded in documents will be extracted and emulated
                        • Ability to block certain embedded files using command line
                        • Documents containing Links (URLs) - reputation will be checked using Check Point ThreatCloud
                      • Encrypted archives: sk112821
                        • Attempt to decrypt the commonly used archives using a passwords dictionary
                        • User defined password phrases support
                        • Ability to prevent password protected files in case of decryption failure
                          ("Prevent" action will occur only when Emulation Connection Handling Mode is configured to 'Hold')
                      • NEW: Support for *.com, *.iso archive, and *.js file in archives attached to e-mail
                      • Independent profile configuration for SandBlast appliance - sending Gateway and SandBlast appliance are not required to carry the same policy
                      • Executable machine learning detection engine improvements
                      • In total: 110+ bug fixes and quality improvements

                      25 Jul 2016



                      • Added support for SHA-256 based certificates for Threat Emulation Engine self-update (sk103839, sk113333)

                      13 Jun 2016



                      • Check Point response to CVE-2016-3712 and CVE-2016-3710 vulnerability in QEMU
                      • Code improvements in update routine for VSX deployments

                      25 Apr 2016




                      UID: 3FF3DDAE-E7FD-4969-818C-D5F1A2BE336D, Revision: 14

                      UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 22

                      UID: 6c453c9b-20f7-471a-956c-3198a868dc92, Revision: 15

                      UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 53

                      UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 24

                      UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 53

                      • NEW: 64-bit OS images - Windows 8.1 and Windows 7
                      • NEW: Detecting links to malicious files inside e-mails (refer to sk115313)
                      • NEW: SMEP Detection - detect privilege escalation attempts
                      • NEW: Support for *.gz and *.bz2 archives
                      • Improved file classification
                      • Enhanced malicious executable detection:
                        • User Access Control - Detect malicious attempts to bypass the Windows UAC mechanism
                        • Icon similarity - Detect executables whose program icon is similar to known application documents
                        • Machine learning detection engine improvements
                      • Deep scan:
                        • Significant memory usage reduction for Anti-Virus deep scan (requires a hotfix - will be available soon)
                        • Integrated additional deep scan capabilities in TE
                      • Images initialization duration improvements
                      • Code and quality improvements:
                        • CPU-level engine - reduced FPs, improved stability
                        • Solved cluster fail overs due to TE blade
                        • Improved JAR static analysis
                      • In total: 190+ features and bug fixes

                      17 Apr 2016



                      • Update routine improvements.

                      20 Jan 2016



                      • Check Point response to CVE-2016-1714 - see sk109700

                      16 Nov 2015


                      [8 Dec]: 44.990000107

                      [16 Nov]: 44.990000099


                      UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

                      UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 50

                      UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 20

                      UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 22

                      • NEW: Optimized OS images for improved detection
                      • NEW: recommended OS image carrying up-to-date software for enhanced detection
                      • Code and quality improvements:
                        • Confidence level for executable files
                        • Performance degradation when using Hybrid mode

                      25 Aug 2015


                      [7 Sep]: 43.990000082

                      [25 Aug]: 43.990000078


                      UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

                      UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 49

                      UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 19

                      UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 21

                      • NEW: CPU level Threat Prevention:
                        • Supported on TE100X, TE250X, TE1000X and TE2000X appliances
                        • Hotfix from sk107333 may be required after updating the engine
                      • NEW: Support for *.pif file type
                      • Improvements in detection ratio
                      • Code and quality improvements

                      30 Jul 2015




                      UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 45

                      UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 47

                      UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 17

                      UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 19

                      • NEW: Public API for emulation services
                      • NEW: Network based detection
                      • NEW: Threat Cloud advisory
                      • NEW: Support for *.cab and *.tgz archives
                      • NEW: Full ZIP archive scanning
                      • NEW: Dropped files emulation
                      • Improvements in detection ratio of *.exe
                      • Improvements in stability - persistent file emulation queue
                      • Code and performance improvements

                      14 May 2015



                      • Check Point response to CVE-2015-3456 (VENOM) - see sk106060

                      15 Feb 2015




                      UID: 5e5de275-a103-4f67-b55b-47532918fa59, Revision: 15

                      UID: 7e6fe36e-889e-4c25-8704-56378f0830df, Revision: 45

                      UID: 8d188031-1010-4466-828b-0cd13d4303ff, Revision: 16

                      UID: e50e99f3-5963-4573-af9e-e3f4750b55e2, Revision: 44

                      • NEW: Support for Flash file type
                      • NEW: Support for Java file type
                      • Improvements in detection of *.exe and *.scr files by adding behavioral features and using a decision mechanism that is based on a machine learning model
                      • VSX improvements
                      • Support for SHA256 as part of the logging information.
                      • Added the TTL mechanism to the local cache on the Security Gateway
                      • Code improvements

                      03 Sep 2014



                      • NEW: Support of Multiple Private Cloud Appliances - see sk102309
                      • NEW: Support for *.scr file type
                      • NEW: Skipping emulation for known good files according do domains and certificates
                      • New version of the Static analysis mechanism
                      • Stability fixes - Enhanced handling of files, which generate extensive forensics data/reports

                      27 Apr 2014



                      • NEW: Support for archive caching
                      • NEW: Support for dropping of archive files that contain certain file types
                      • NEW: Better file classification abilities
                      • NEW: Enhanced detection of emulation process tampering
                      • Stability fix - Possible memory leak in certain circumstances

                      06 Feb 2014



                      • NEW: Support for executable emulation
                      • NEW: Support for archives (ZIP, RAR, TAR and 7z)
                      • NEW: Anti-evasion capabilities against malware that tries to detect its execution in a sandbox
                      • NEW: Better detection capabilities
                      • Stability fixes

                      29 Dec 2013



                      • NEW: Support for GEO restriction (for details, refer to sk97877)
                      • Stability fix for supporting new emulation images
                      • Stability fix for the Engine Update itself

                      25 Nov 2013



                      • Gradual upgrade support
                      • Stability fix for Local Emulations - when using large number of emulation machines (more than 33), the emulation machines will stop responding
                      • Fixed a condition where DNS resolving can cause emulations to fail

                      13 Oct 2013



                      • Fixing a possible bug in communication from Security Gateway to Cloud

                      02 Oct 2013



                      • Stability fix for the Emulators of local and private cloud when dealing with malicious files
                      • More efficient Cloud Service communication
                      • Enhancing availability and stability of the Cloud Service
                      • Fixed confusing log events in the SmartView Tracker


                      Related solutions:

                      Give us Feedback
                      Please rate this document