Support Center > Search Results > SecureKnowledge Details
Threat Emulation Engine Update - What's New?
Solution

This solution contains the new items and fixes for each Threat Emulation Engine Update. It will be updated each time a new Engine Update is released.

To check the current version of Threat Emulation Engine Update, run either one of these commands:

  • [Expert@HostName]# tecli advanced engine version

  • [Expert@HostName]# cat $FWDIR/teCurrentPack/te_ver.ini

To check the current version of Threat Emulation Image, run the following command:

  • [Expert@HostName]# tecli show downloads images

For the latest Threat Emulation malware detection rules, refer to sk117672 - How to update the Threat Emulation malware detection rules.

For file types supported in Threat Emulation, refer to sk106123.

Date Release Version What's New
04-Apr-2018 6.15

Engine:

56.990002329

IMAGE_READY = 234

 • Added support for .bat and .cmd files that arrive in mail attachments.

These file types are not available in the Threat Emulation Supported File Types menu.

• Detection improvements and FP reduction

Introduced advanced human simulation – Threat Intelligence group has observed many files in the wild that were using a new evasion technique (implementation in images rev. 234)

• CADET for executable files only – silent mode o

Cadet aims to improve Threat Emulation precision on executable files by transferring all of existing TE features (such as emulation results, reputation, and others) to a AI model tuned to improve accuracy – increase detection and reduce false positive. Cadet is focused preliminary on executable files, and will apply only for cloud emulations at this first stage.

Cadet is currently being deployed in Silent mode – meaning it does not change the verdict on TE.

• FP handling improvement 

Smarter management of global TE Cloud Cache, to increase cached verdict reliability and prevent FP pollution.

04 Mar 2018 6.14

Engine: 56.990002262

IMAGE_READY = 226

 Prohibited file types   - Enables configuration of blocking file type  sk123140

15 Jan 2018

Deployment:

15/01/18-05/02/18

6.13

Engine: 56.990002053 More info about new revisions: sk122374

 

  •  Improved detection
    • Added support for 64bit Binaries using live machine learning detection. 64bit Binaries will be emulated on the 64bit images (win 7 64, Win 8.1 64 and Win 10).
  • NEW THREAT EMULATION REPORTS - currently in EA and applied for R80.10 - sk120357
  • Issues from 6.12 that were released as offline only
    • Please see below

 21 Dec 2017

Only offline

6.12 

Engine: 55.990001865

Images_Ready: 209

File_Types - TE_FILE_TYPES_MAP

Version: 38

  • Fixed an issue where the system attempted to emulate non-relevant content types when downloading files from .com domains
  • Support for *.xz file type 
  • Stability improvements
13 Dec
2017
6.11.2 Engine: 55.990001820 
  • Fixed issue related to rare condition in private cloud emulation were files are stuck in uploading state in case the first rule in the policy is not installed on the GW.
22 Nov
2017

 

 

6.11.1 Engine: 55.990001819

 

Images_Ready: 208 

  • New Threat Emulation Reports (currently in EA) - please refer to sk120357
    • Embedded-file drill-down - For emulations of archives, droppers, and documents embedding other files: click on any of the embedded/dropped files with malicious verdict to drill down on its emulation report.
    • Graphic attack vector for SMTP
  • Bug fixes and improved detection
    • Fixed an emulation performance issue that affected some customers
    • Improved detection of documents with macros
    • Stability fixes

06 Nov
2017

 

 

 6.10

Engine: 55.990001748

Images_Ready: 207 

  •  New Threat Emulation Reports (currently in EA) - please refer to sk120357
    • Support of Archive files - Reports of archive files display a table listing all files in the archive with an individual verdict for each file
    • Support of "Actions"
      • Contact Check Point Incident Response Team
      • Generate a CSV of the emulation activity timeline
  • Improved Detection of DDE-based attacks

26 Sep
2017

 

 

 6.9

Engine:

55.990001702

Executable_Analyze:

541553

Images_Ready:

204

  • Revolutionized TE reports
    • Beta release - follow sk120357 to enable this feature on R80.10 Security Gateways for PoCs and evaluation.
    • Enriched IOCs – we are extracting many more indicators of compromise from emulation sessions of malicious files and including them in the TE reports.
    • Revised UI and workflow.
      Note: This is work in progress - the new report is not generated by default. The new report can be enabled on R80.10 Security Gateway for PoCs and evaluation.
  • Several improvements to some of TE detection engines
    • Improved machine learning model
    • Reduced number of False Positive

13 Aug
2017

6.8.2

Engine:

54.990001557

  • Fixed issue regarding embedded link inspection in Private Threat Cloud environments. 
  • Fixed unnecessary disk space usage on Security Gateways

09 Aug
2017

 

6.8.1

Engine:

54.990001312

  • Minor bug fixes
  • Reduced number of False Positive caused by JS embedded in PDF
  • Early Availability of R80.10 support for SandBlast TE250X, TE1000X, TE2000X appliances:
    • To participate, you need to upgrade the SandBlast TEX appliance to R80.10 and make sure that this TE engine is installed
    • Note: Do not use R80.10 on TE100X model at this point.

19 July
2017

 

 

 

6.8

Engine:

54.990001309

More info about new revisions:

sk119144

  • Performance improvement
    • Improved files processing throughput for Security Gateways sending files to be emulated by SandBlast cloud service or in SandBlast TE appliance deployment. The improvement significantly reduces possible issues caused by queue of files in upload by uploading several files in parallel.
  • Improved detection
    • Improved simulation of user interaction
    • Integration with new network reputation service that contains advanced algorithms for improving malware network activity detection.
  • License enforcement
    • Validate NGTX license for Security Gateways working with TE appliances and for inline TE appliances - applicable for new TE appliance SKUs launched in October 2017 - sk119133
  • Infrastructure for fast OS image update
    • New infrastructure for OS image updates, allowing much smaller updates and much shorter downtime (minutes instead of hours). Image Initialization phase reduced to a few seconds.
  • Updated OS Images 
    The new images include general OS improvements and Creators Update for Windows 10:
    • "Win10 64b,Office 2016,Adobe DC"
    • "Win7,Office 2010,Adobe 9.4"
    • "Win7 64b,Office 2010,Adobe 11"

      Note: Before upgrading the TE Engine, make sure that you have 160 GB of free disk space!

06 July
2017

 

6.7.1

Engine:

54.990001252

Fix related to file descriptor leak in logs in R80.10.
For more details, see sk117672.

25 June 2017

6.7

Engine:

54.990001250

  • Improved detection by Macro analyzer
  • Support for TLS 1.2 Jumbo HF
  • Reduced scan engine core dumps
  • Reduce False positive
15 June 2017 6.6.2

Engine:

54.990001196

  •  General bug fix 
 06 June 2017 6.6.1

Engine:

54.990001195

  • Security fix: In links inside mail - fix error under load

23 May 2017

 

 

6.6

Engine:

54.990001194

UID:

Scanengine Package:

64696D61-A095-47E8-B819-3A3A9FF7FC66

Version: 5

 

  • Multiple Remote
    • Multiple Remote was introduced in engine update 6.5, allowing Security Gateways from separate management SIC domains to connect to the same TE appliance.
    • This updated removes several Multiple Remote limitations:
      • Multiple Remote now supports VSX gateways
      • Multiple Remote now supports 64-bit gateways (for more details, refer to sk102309)
  • New configuration options
    • Added the ability to configure the maximum number of files, which are extracted from archive for emulation: 
      tecli -> advanced -> archive -> extract -> max_extracted_files_limit -> set Number_0-500
  • Ransomware detection
    • Improved detection of ransomware - a new Threat Emulation engine monitors data file tampering within sandbox sessions
  • Important bug fixes
    • Fixed scenarios, in which there are missing screenshots in Threat Emulation reports
    • Added support for UTF-8 file names in archives
    • Cleaned up debug logs in ted.elg

06 April 2017

 

6.5.1

Engine:

54.990001153

UID:

9B2ACBA1-70C0-4C32-AA7F-03F85F67DB09

Version: 2

UID:

10B4A9C6-E414-425C-AE8B-FE4DD7B25244

Version: 4

  • Improvements in Early Verdict for prevent (the early verdict provides partial response when the file is malicious)
  • Improved support for Multiple Private Cloud Appliances - added support for different management domains (sk102309 - section "(9) Configure Security Gateway to use a remote Threat Emulation Private Cloud Appliance that is managed by a different Management Server")
  • Improved detection

12 March 2017

 

6.4

Engine:

53.990001139

UID:

10B4A9C6-E414-425C-AE8B-FE4DD7B25244

Version: 11

 

  • Windows 10 support - User will be able to emulate non-executable files on Windows 10 64-bit
  • Early Verdict for prevent - The early verdict provides partial response when the file is malicious - sk117168
  • Improve detection:
    • Detection of SHA-1 collision attacks (SHAttered attack - sk116141)
    • Provide detection for PDF with embedded links including phishing attempts
  • tecli command improvement - enable/disable internally supported file types
  • Bug fixes:
    • Reduced false-positives in Macro detection
    • Resolved storage cleanup issues

19 Feb 2017

6.3

Engine:

51.990001127

  • Ransomware campaigns detection improvement - new file type supported:
    • *.vbs file type in archives attached to e-mail
    • *.wsf file type in archives attached to e-mail
  • R80.10 compatibility - TE Engine will now be able to run across multiple Gaia releases.
  • Bug fixes Bugs fixes related to "Push Forward" that result in error

16 Jan 2017

6.2

Engine:

48.990000062

 

WEM_phase_1 - TE_IMAGE

1AFBDE2E-D593-45A8-A686-6CBD42F37823

Version:2

 

WEM_phase_2 - TE_IMAGE

1B0C5014-714D-47F3-9B10-0B7EE386E745

Version:2

  • New:
  • Additional fixes:
    • Improved stability of CPU Level emulation
    • Reduced emulation errors in CPU Level emulation

28 Nov 2016

6.1.2

Engine:

47.990001022

File_Types - TE_FILE_TYPES_MAP

779739FA-FDB7-473A-9688-8EFAF60A05C2

Version: 37

 

Executable_Analyzer - TE_EXE_ANALYZER

Version: 471022

  • NEW:
    • Support for *.cpl file type
    • Support for *.vbs, *.jse, *.vba, *.vbe, *.wsf and *.wsh file types in archives attached to e-mail
  • Improved password extraction from e-mail body (special hotfix is required)
  • Performance and quality improvements

08 Nov 2016

6.1.1

Engine:

47.990001008

  • Security Fix - classifier fix in order to deal with macro enable Office files
  • Main bug fixes:
    • Engine update - fixed EU6.1 emulator emulating unsupported file types:
      • Matter reported/reproduced under the following scenarios: unsupported file types sent through API, ICAP client and Security Gateway running Engine Update 6 with unsupported file types inside archive
    • Core in Hotfix with links during stress tests
    • "tecli advanced archive extract ..." commands were deleted in D6.1 - reverted the change
    • Threat Emulation daemon crash that occurs in stress or in scenarios related to password protected archives.

25 Sep 2016

6.1

Engine:

47.990000102

  • Threat Emulation File Analyzer: sk112312
    • Files embedded in documents will be extracted and emulated
    • Ability to block certain embedded files using command line
    • Documents containing Links (URLs) - reputation will be checked using Check Point ThreatCloud
  • Encrypted archives: sk112821
    • Attempt to decrypt the commonly used archives using a passwords dictionary
    • User defined password phrases support
    • Ability to prevent password protected files in case of decryption failure
      ("Prevent" action will occur only when Emulation Connection Handling Mode is configured to 'Hold')
  • NEW: Support for *.com, *.iso archive, and *.js file in archives attached to e-mail
  • Independent profile configuration for SandBlast appliance - sending Gateway and SandBlast appliance are not required to carry the same policy
  • Executable machine learning detection engine improvements
  • In total: 110+ bug fixes and quality improvements

25 Jul 2016

6.0.2

Engine:

46.990000189

  • Added support for SHA-256 based certificates for Threat Emulation Engine self-update (sk103839, sk113333)

13 Jun 2016

6.0.1

Engine:

46.990000187

  • Check Point response to CVE-2016-3712 and CVE-2016-3710 vulnerability in QEMU
  • Bug fix in update routine for VSX deployments

25 Apr 2016

6

Engine:

46.990000181

Images:

UID: 3FF3DDAE-E7FD-4969-818C-D5F1A2BE336D, Revision: 14

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 22

UID: 6c453c9b-20f7-471a-956c-3198a868dc92, Revision: 15

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 53

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 24

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 53

  • NEW: 64-bit OS images - Windows 8.1 and Windows 7
  • NEW: Detecting links to malicious files inside e-mails (refer to sk115313)
  • NEW: SMEP Detection - detect privilege escalation attempts
  • NEW: Support for *.gz and *.bz2 archives
  • Improved file classification
  • Enhanced malicious executable detection:
    • User Access Control - Detect malicious attempts to bypass the Windows UAC mechanism
    • Icon similarity - Detect executables whose program icon is similar to known application documents
    • Machine learning detection engine improvements
  • Deep scan:
    • Significant memory usage reduction for Anti-Virus deep scan (requires a hotfix - will be available soon)
    • Integrated additional deep scan capabilities in TE
  • Images initialization duration improvements
  • Bug fixes and quality improvements:
    • CPU-level engine - reduced FPs, improved stability
    • Solved cluster fail overs due to TE blade
    • Improved JAR static analysis
  • In total: 190+ features and bug fixes

17 Apr 2016

5.1.1.1

Engine:

44.990000115

  • Update routine improvements

20 Jan 2016

5.1.1

Engine:

44.990000110

  • Check Point response to CVE-2016-1714 - see sk109700

16 Nov 2015

5.1

Engine:

[8 Dec]: 44.990000107

[16 Nov]: 44.990000099

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 50

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 20

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 22

  • NEW: Optimized OS images for improved detection
  • NEW: recommended OS image carrying up-to-date software for enhanced detection
  • Bug fixes and quality improvements:
    • Confidence level for executable files
    • Performance degradation when using Hybrid mode

25 Aug 2015

5

Engine:

[7 Sep]: 43.990000082

[25 Aug]: 43.990000078

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 49

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 19

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 21

  • NEW: CPU level Threat Prevention:
    • Supported on TE100X, TE250X, TE1000X and TE2000X appliances
    • Hotfix from sk107333 may be required after updating the engine
  • NEW: Support for *.pif file type
  • Improvements in detection ratio
  • Bug fixes and quality improvements

30 Jul 2015

4.1

Engine:

24.990000258

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 45

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 47

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 17

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 19

  • NEW: Public API for emulation services
  • NEW: Network based detection
  • NEW: Threat Cloud advisory
  • NEW: Support for *.cab and *.tgz archives
  • NEW: Full ZIP archive scanning
  • NEW: Dropped files emulation
  • Improvements in detection ratio of *.exe
  • Improvements in stability - persistent file emulation queue
  • Bug fixes and performance improvements

14 May 2015

4.0.1

Engine:

24.990000010

  • Check Point response to CVE-2015-3456 (VENOM) - see sk106060

15 Feb 2015

4

Engine:

24.990000009

Images:

UID: 5e5de275-a103-4f67-b55b-47532918fa59, Revision: 15

UID: 7e6fe36e-889e-4c25-8704-56378f0830df, Revision: 45

UID: 8d188031-1010-4466-828b-0cd13d4303ff, Revision: 16

UID: e50e99f3-5963-4573-af9e-e3f4750b55e2, Revision: 44

  • NEW: Support for Flash file type
  • NEW: Support for Java file type
  • Improvements in detection of *.exe and *.scr files by adding behavioral features and using a decision mechanism that is based on a machine learning model
  • VSX improvements
  • Support for SHA256 as part of the logging information
  • Added the TTL mechanism to the local cache on the Security Gateway
  • Bug fixes

03 Sep 2014

 

Engine:

23.990000082
  • NEW: Support of Multiple Private Cloud Appliances - see sk102309
  • NEW: Support for *.scr file type
  • NEW: Skipping emulation for known good files according do domains and certificates
  • New version of the Static analysis mechanism
  • Stability fixes - Enhanced handling of files, which generate extensive forensics data/reports

27 Apr 2014

 

Engine:

21.990000045
  • NEW: Support for archive caching
  • NEW: Support for dropping of archive files that contain certain file types
  • NEW: Better file classification abilities
  • NEW: Enhanced detection of emulation process tampering
  • Stability fix - Possible memory leak in certain circumstances

06 Feb 2014

 

Engine:

20.990000114
  • NEW: Support for executable emulation
  • NEW: Support for archives (ZIP, RAR, TAR and 7z)
  • NEW: Anti-evasion capabilities against malware that tries to detect its execution in a sandbox
  • NEW: Better detection capabilities
  • Stability fixes

29 Dec 2013

 

Engine:

13.990000021
  • NEW: Support for GEO restriction (for details, refer to sk97877)
  • Stability fix for supporting new emulation images
  • Stability fix for the Engine Update itself

25 Nov 2013

 

Engine:

13.990000014
  • Gradual upgrade support
  • Stability fix for Local Emulations - when using large number of emulation machines (more than 33), the emulation machines will stop responding
  • Fixed a condition where DNS resolving can cause emulations to fail

13 Oct 2013

 

Engine:

12.990000009
  • Fixing a possible bug in communication from Security Gateway to Cloud

02 Oct 2013

 

Engine:

11.990000007
  • Stability fix for the Emulators of local and private cloud when dealing with malicious files
  • More efficient Cloud Service communication
  • Enhancing availability and stability of the Cloud Service
  • Fixed confusing log events in the SmartView Tracker

 

Related solutions:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment