Support Center > Search Results > SecureKnowledge Details
Threat Emulation Engine Update - What's New? Technical Level

This solution contains new items and fixes for each Threat Emulation Engine Update. It will be updated each time a new Engine Update is released.

To check the current version of Threat Emulation Engine Update, run either one of these commands:

  • [Expert@HostName]# tecli advanced engine version

  • [Expert@HostName]# cat $FWDIR/teCurrentPack/te_ver.ini

To check the current version of Threat Emulation Image, run the following command:

  • [Expert@HostName]# tecli show downloads images

For the latest Threat Emulation malware detection rules, refer to sk117672 - How to update the Threat Emulation malware detection rules.

For file types supported in Threat Emulation, refer to sk106123.

Date Release Version What's New
28-Oct-20 10.7


  • Threat Emulation Engine support for R81 Check Point Infinity
    • Important note: R81 based emulators and appliances only support Threat Emulation engine 10.7 or above. Internet-connected gateways will be automatically updated unless automatic updates are disabled. To manually update gateways refer to sk92509.
  • Threat Emulation Cloud Dedicated to China and Australia – Gateways can be configured so that files are sent for emulation (sandboxing) only in a specific country, to meet regulatory requirements and other privacy concerns. This update now includes the ability to restrict emulations to China or Australia. To restrict your gateway’s emulations to a specific country, follow the instructions in sk97877
30-Sep-20 10.5


  • Improved the time to get a verdict for CSV files by 50%
  • Reduced false positive rate for dropped files (to near 0%)
  • In addition to the existing support for password protected archives, Threat Emulation now supports scanning of password protected Microsoft Office and PDF documents, using password guess techniques:
    • Commonly used password dictionary
    • Password from email context (subject, body text, attachment names)
    • Custom password list (see sk112821 for configuration instructions)
    • Support for all TE vectors: Web download, MTA, CGSaaS, SBA, APIs
12-Jul-20 10.2


  • The new Threat Emulation engine uses Neural Networks and Deep Learning to improve detection of executable files by 2%.
  • The reduction in the false positive detection rate of executable files is 50%.
  • The v10.2 release improves detection for Microsoft Office files with obfuscated macros.
  • Detection rules for widely spread HTML-based threats, including:
    • Nemucod ransomware
    • JS crypto-miners in HTML
    • Portable executables embedded inside HTML documents
  • Fixes an issue where a manual  offline update of the Threat Emulation engine may flag safe documents as malicious.
  • Enhanced reporting of errors in the Threat Emulation API – in case an error occurred during the emulation, Threat Emulation API will now return a detailed description of the error, including the engine version number. This new addition allows for better troubleshooting as well as granular actions by the API client, depending on the error that occurred. For more information, see sk167161.
22-May-20 9.7


  • Local Threat Emulation is now supported on R80.40
  • Performance Improvement - Verdicts for unknown files will now arrive 10-20% faster
  • Stability improvements – emulation timeouts will now be even less likely to happen (80% improvement)
  • Various improvements to detection rate and reduction of false positive rate
01-Apr-20 9.6


  • Reduced documents False Positive verdicts (by adding logic querying additional external resources before lowering confidence)
  • Added ability to add YARA based exceptions in documents flow overriding verdict for specific cases
  • Enhanced handling of malware trying to determine that they run in virtual machines to evade sandboxing
  • New images were released for sandbox VMs, introducing performance improvements on sandbox side
23-Feb-20 9.5


  • MITRE in TE report - fixed minor UI issues in the MITRE ATT&CK section in the Threat Emulation Summary Report

  • Emulation platform enhancement - fixed issues that might cause emulations to fail in rare cases

  • Anti-evasion - enhanced handling of malware trying to determine that they run in virtual machines to evade sandboxing
13-Jan-20 9.4 


More information about new revisions: sk135413

  •           CVE Reference in Reports – The Threat Emulation Summary Report now includes a reference to the CVE used by the malic .Clicking on the CVE will lead to its official description and details.
  •           MITRE ATT&CK information in the log card – since engine update 9.0, the Threat Emulation Findings report contains a MITRE ATT&CK section, detailing the different techniques detected in the malicious file.
    Starting engine update 9.4, this information is also available in the log card.
    This update allows admin to better understand the attack looking at the log card, as well as exporting this data to external SIEM systems
    and easy search and filtering of attack events based on MITRE fields.
  •          Export Threat Detailed Report to logs and external SIEM systems.Threat Emulation Report data details are now exported to logs and external SIEM systems and provide ease of search and filtering based on MITRE related data.
11-Dec-19  9.3 Engine:58.990001271 
  • Enhanced Prevention of Zero-Day Malicious Documents – Rebuilt some of the emulation engines for Microsoft Office and PDF documents, to increase the catch rate and return malicious verdicts much faster.
  • More Granular Error Management – Added the ability to configure a specific failure mode (fail-open / fail-close) for cases in which emulation fails due to the file being non-supported. For more information, refer to sk132492.
19-Nov 19 9.2


More information about new revisions: sk135413

  • New Archive File Type Support – The following archive file types are now supported: LZH, ARJ, CPIO, AR.
  • Fixed a bug that might cause incorrect values in the Verdict log field for files extracted from archives.
  • Fixed a bug causing Threat Emulation not to treat encrypted PDFs according to the policy and always fail their emulation.
  • Fixed a bug that might cause archive files of unsupported types to be mistakenly marked as malicious by Threat Emulation.
  • Fixed some small UI bugs in the MITRE ATT&CK part of the Threat Emulation report. 
30-oct-19 9.1


More info about new revisions: sk135413

New Archive File Type Support – the new engine supports the following archive file types when password-protected: RPM, WIM, CHM, LZH, MSI, ARJ, CPIO, AR, CramFS, QCW2, UDF

Replacing the Threat Emulation API Certificate – administrators can now upload their own certificate to be used for Threat Emulation API calls to their Threat Emulation appliance. For more information, refer to sk160693.

15-Sep-19 9.0


More info about new revisions: sk135413

MITRE ATT&CK reporting – the Threat Emulation Forensics Report now includes a detailed MITRE ATT&CK Matrix with the detected adversary tactics and techniques for every executable file found to be malicious.

Enhanced Support for Archive Files – this engine release includes significant improvements in handling archive files. Improvements include:

  • All supported file types, including .7z and .rar, are now also supported when password-protected. For more details, refer to sk112821
  • Improved mechanism to automatically "guess" passwords when opening password-protected archives for emulation.
  • Added support for password-protected archives, using Unicode characters in the password.
  • Many new supported archive formats - WIM,CHM,CramFS,DMG,EXT,FAT,GPT,HFS,IHEX,MBR,MSI,NSIS,NTFS,QCOW2,RPM,SquashFS,UDF,UEFI,VDI,VHD,VMDK (starting from TE engine version 9.1).
  • Stability improvements
28-Aug-19 8.8 


More info about new revisions: sk135413

  • Faster delivery of emulation verdict for documents in which files are embedded.
  • Various minor bug fixes
7-Aug-19 8.7 Engine:58.990000915

Enhanced Anti-Evasion

Several improvements to the emulation’s human impersonation, making it even more resistant to modern evasion techniques.

Faster Emulation of Documents

Emulations of Office and PDF files will now take significantly less time, allowing for enhanced productivity due to faster verdicts for malicious and, most important, benign files.

10-Jul-19 8.6


revisions: sk135413

Enhanced Support for Password-Protected Documents

  • Administrators can now configure a default action for password-protected documents, so that if such files reach emulation, they will be allowed or blocked by default. To configure the default action, follow the instructions in sk132492.
Performance and stability improvements for cloud emulations.
    5-Jun-19 8.5 Engine:58.990000788

    Attachments from Nested MSG Files

    Threat Emulation now supports emulating files that are attached to MSG files that are themselves attached to other MSG files.

    5-Jun-19 8.4.2 Engine:58.990000741 Deployment only to the appliances. 



    8.4 Engine:58.990000732


    More info about new revisions: sk135413

    New Features

    Enhanced Logging for Emulated Archive Files

    Until this update, emulation of archive files generated a single log on and for the archive file itself. With this release:

    • The archive file log includes the names of all the files inside it.
    • A new log is generated for every file extracted from the archive with its emulation results. This log contains the name of the archive file, so that logs are correlated easily between the archive file and between those of the files it contains.

    Detailed Malware Behavior Report

    SOC teams investigating a detected malicious file via the Emulation Details report can now download a detailed malware behavior report. The report contains general information about the emulated file, as well as all observed activities such as processes opened, API calls initiated, registry events, etc. To download this report, click on the left download icon ( ) in the Emulation Details report, under the Advanced Forensics section.

    Improvements and Enhancements

    Enhanced Anti-Evasion Techniques

    Improved detection and prevention of malware files employing evasion techniques. The improvements include:

    • Enhanced human interaction simulation
    • Enhanced detection of malware initiated after the malicious file is closed.
    • Enhanced handling of malware creating a large amount of API calls to overload the emulator.
    • Enhanced handling of malware trying to check if the file is run in a virtualized environment
    • Fixed an issue causing password-protected archives not to be emulated even though the password for the file is located in the email body. This issue can occur if the archive file was attached to emails with multi-part bodies. The most common example is an email body combining pictures and text.

    Important License Enforcement Note

    As previously announced, the grace period for the Threat Emulation license enforcement is over. Starting with this emulation engine update, a valid NGTX license must be installed on the Gateway for Threat Emulation and Threat Extraction to work properly. Gateways without the required license receive the following warning log: "Warning: NGTX license is required for the gateway to enable Threat Emulation. To ensure uninterrupted operation, please update the gateway device with a valid license. Please read through sk140212 to make sure you properly set up the system with the required licenses."



    31/3 - 22/4



    More info about new revisions: sk135413

    New Feature

    Enhanced Classification of Malware Families

    A key part of understanding detected malware, its potential damage, and steps for its remediation, is its classification in a malware family.

    This release includes a new machine learning engine that improves this classification, making it faster and more accurate.

    • The new engine utilizes two novel algorithmic approaches for detecting and identifying unknown malware samples and families. The first layer is the application of an unsupervised clustering technique on the behavioral feature space produced by Threat Emulation for detecting sample similarities in behavioral pattern space.
    • The second layer is based on an active learning method, which represents the discovered patterns in a way that allows you to combine information form threat research analysts, inject threat intelligence information into the algorithm, and use it to identify unknown malware families and new variants of known ones. This method allows for the combining of behavioral analysis and threat intelligence into one unified detection operation.

    Enhanced Emulation of EXE files

    A new Threat Emulation engine dedicated to dynamically determining the required emulation time, improving the handling of malicious executable files that take time to start their malicious activity.



    7/3 - 25/3

    8.2 Engine:58.990000492


    More info about new revisions: sk135413

    New Feature:

    Enhanced Emulation for non-Supported File Types:

    This release introduces a new and easy way to enable Threat Emulation (TE) on file types that are not supported by default. Administrators can now also configure the vector in which TE will run on these file types – Email, Web or both. Refer to sk149292 for more information. 



    14/2 - 28/2



    More info about new revisions: sk135413

    New Features:

    • Enhanced prevention for attacks in all vectors with .LNK malicious files. These files can now be emulated both using local Threat Emulation Appliances and using the cloud service to provide maximum protection.
    • Enhanced sandboxing (emulation) of Microsoft Office files, utilizing a new Machine Learning engine. The new engine extractsVBA code from the document file, then generate powerful expert-designed features, and feeds them to the Machine Learning model that predicts maliciousness. It is based on a classic ML ensemble method called Random Forest




    8.0 Engine:58.990000298


    More info about new revisions: sk135413

    New Features:

    Enhanced Visibility on "Malware DNA" Analysis.

    With this release, security personnel can better understand the analysis performed on the malware and the reasons for the file being flagged as malicious.

    The Threat Detail report now includes Malware DNA, a deep dive into different similarities it presents to known malware families. The enhanced analysis includes:

    • Behavioral similarities with other malware familiesCode structure, similarities with other malware familiesFile, similarities with other malware familiesPatterns of connection attempts to malicious websites and C&C servers similar to other malware families.
    • Malware DNA employs a novel technique to detect malicious code at the lowest level representation - the machine-code level. By extracting the binary representation of malicious code from known malware and representing it in generalized form, Malware DNA is able to detect unique code, code re-use and code permutations of unknown and future threats. Moreover, Malware DNA technology makes it possible to detect threats embedded in otherwise benign software even if the malicious code only runs in very specific and rare situations. By identifying known code inside the executable, Malware DNA is able to segregate and classify parts of an executable and trace the code to its origin.
    • Malware DNA employs a range of techniques that render it resistant to code permutations, compiler optimizations and other changes to code that do not change code semantics.
    • Unlike other malware detection technologies, Malware DNA is not based on signatures, sandbox or anomaly detection. It's an ultra-fast static engine which is not susceptible to evasion techniques.






    More info about new revisions: sk135413

    New Features:

    • Expanded Anti-Virus via Threat Prevention API support for local Threat Emulation appliances and Threat Prevention API for Anti-Virus deep scans. The new feature provides the ability to run a full AV Deep-scan using a Threat Emulation appliance. For additional details and instructions. refer to the Threat Prevention API Reference Guide

    • Policy Restriction Handling Control system behavior. By applying user defined restrictions, the following restriction would be supported:

    • Archive extraction error – Define and handle archive relate policies.
    • Max number of files - Define max number of files the system archive.

    • Dynamic Detection Machine Learning. Adds a machine learning model that uses dynamic emulation output, specifically the API calls performed by the analyzed executable, to detect malware. It uses machine-generated features as well as sophisticated features hand-crafted by domain experts and world-class malware researchers, and leverages and constantly updates state-of-the-art anti-evasion techniques. The machine learning is trained frequently on real production data, making its relevant, customer-facing detection rate superior to previous generations of dynamic detection schemes while maintaining a very low false discovery rate. It is the most important component of our in-house detection capabilities.

    • Licensing Enforcement starting with Threat Emulation engine version 7.9. The Gateway device will also now validate the existence of a valid NGTX license when using a SandBlast appliance for emulation. However, there are some exceptions. so refer to sk140212 for details.

    Improvements and Enhancements:

    • Customized YARA signatures: Enable deployment of dynamic custom behavioral in the Gateway. 

    • Improve detection of URL reputation by adding context data to a URL rep request and identifying the file that caused the activity.



    18/11- 12/12 

    7.8 Engine:58.990000075


    More info about new revisions:


    • Introducing new detection engine - IP reputation: Preemptively reject requests that are coming from or sent to IP addresses marked as malicious, by Check Point's constant malware research activities. This engine is protocol agnostic and can detect and prevent any communication protocol.
    • Introducing CADET for local emulation - CADET (Context-Aware Detection and Elimination of Threats), Check Point's newest and successfully proven AI-based technology, is now available across all SandBlast deployment options (cloud and on premise). Check Point's CADET technology continuously evolves and adapts to the changing threat landscape using machine learning to offer best in the market detection accuracy.
    • Threat emulation reports now include traffic capture logs. A detailed traffic log is now available for download directly from the emulation reports, allowing users visibility of suspicious network traffic generated by examined files.
    • New Threat Emulation reports are now available via a consolidated API: a newly aligned and consolidated public API for new Threat Emulation reports for both cloud and premise (appliance) environments.
    • Note: backwards compatibility is supported using the "reports_version_number" field. Additional information is available in the Threat Prevention API documentation: Threat Prevention API 1.0 Reference Guide.

    15 Oct 2018


    15/10 - 26/11



    More info about new revisions:


    • New AI powered detection engines for malware detection in documents: Our Machine just learned how to improve detection accuracy in documents. The technique used includes a combination of our techniques for CPUL and OS level emulation and machine learning algorithms to improve significantly the detection accuracy while reducing false positives. Please note that the new AI Model will initially be deployed in Threat Prevention cloud only. On-premise deployments will be supported in a later release.
    • R80.10 (JHF 151) supported by TEX appliances. Support for DLL files in TE (requires Image revision 247). DLL files are emulated in a way similar as in executable files.
    • Improved detection using behavioral machine learning to detect threats in executable files. Advanced automated machine learning using millions of samples to improve the accuracy of the executable behavioral machine learning detection. 
    • Detection Improvement - CADET – updated machine learning model for executable files.  Incorporates new data sources from our latest engine improvement into the decision making of Cadet. This allows improvement in detection accuracy.
    • Introducing a new detection engine that examines files similarity. This allows for better classification of malware family to understand the nature of the attack.
    • Update frequency algorithm improved (more frequent updates).
    • Improved performance of TE GC (cleanup script).
    • Bug fixes: Fixed an issue that caused TE to restart when the cache is full. 
    07 Oct 2018



    7.5  Engine:57.990002818 
    • Remove writing to the cloud emulator local cache.
    • Changed check for update frequency.
    • Released to cloud emulators (not to gateways).

    28 Sep 2018


    28/9 - 29/9



    • Changed check for update frequency
    • Released to gateways (not to cloud emulators).

    4 Sep 2018


    3/9 - 26/9



    More info about new revisions:


    • TE Local Emulation for version R80.20 has been changed to version R80.20 GA.
    • Fixed an issue with licensing that caused some emulators not to use the full capacity.

    13 Aug 2018


    13/8 - 28/8



    (Cloud 572772)

    IMAGE-READY = 234

    • TE local Emulation on R80.20 – early availability.
    • Improvements of 64bit executable detection.



    29/7 - 9/8



    Revert Engine to 7.2 :57.990002736

    Only for part of the appliances




    IMAGE-READY = 234

    • NEW SandBlast Threat Emulation report. For specific availability details, refer to sk120357
    • Error Granularity Manager. For more information, refer to sk132492.



    8/7 - 19/7 




    Revert Engine :57.990002736


    IMAGE-READY = 234

    • Added support for macOS file types to both SandBlast Emulation Cloud and locally. For more details see sk130652
    • Return low confidence in case only few events are seen during emulation of documents.



    Deployment: 25/6 - 5/7



    IMAGE-READY = 234

    • Apply YARA rules to file types supported by TE. For more details see sk123156.
    • Added new supported file types : PowerShell (.ps1) and Batch files (.bat)
    • Added new supported file types following recent campaigns: SYmbolic LinK files (.slk ) and Excel Web Query file (.iqy)
    • Cache Purger - a mechanism that reduces FP rate for cloud customers (GWs which use the "sharing" feature will also benefit from this mechanism).
    • Avoid the scenario where TE stops emulation while the logs continue to write to disk and the emulation enters fail mode. For more details see sk124712
    23-May-2018 7


    IMAGE-READY = 234

    CADET (Context-Aware Detection and Elimination of Threats)
    • CADET improves Threat Emulation precision by incorporating all existing Threat Emulation features in Machine Learning (ML) mode. ML is tuned to improve accuracy, increasing the number of threats detected and reducing the number of false positives.
    •  Currently, CADET focuses on executable files, and applies only to cloud emulations. 

    Threat Prevention by file source URL.

    Improved Static Macro analyzer. Improved detection of malicious macros in Office documents.

    Improved executable file analysis performance by approximately 40%.

    YARA for all file support – Early Availability. This feature is currently off by default. 

    New anti-evasion techniques. 

    • Additional features in Threat Emulation reports:
    • Added tecli command for configuring the malicious file password. Added HTTP attack vector which includes the download source URL and its reputation.
    • Added time stamp to the attack vector.
    • Added the option to download packet capture.
    • Show the entire file path for archive/dropped/embedded descendants.
    • Show emulation video instead of static screenshots.

    Improved Cloud Emulation queue wait time by approximately 50%.

      04-Apr-2018 6.15



      IMAGE_READY = 234

       • Added support for .bat and .cmd files that arrive in mail attachments.

      These file types are not available in the Threat Emulation Supported File Types menu.

      • Detection improvements and FP reduction

      Introduced advanced human simulation – Threat Intelligence group has observed many files in the wild that were using a new evasion technique (implementation in images rev. 234)

      • CADET for executable files only – silent mode o

      Cadet aims to improve Threat Emulation precision on executable files by transferring all of existing TE features (such as emulation results, reputation, and others) to a AI model tuned to improve accuracy – increase detection and reduce false positive. Cadet is focused preliminary on executable files, and will apply only for cloud emulations at this first stage.

      Cadet is currently being deployed in Silent mode – meaning it does not change the verdict on TE.

      • FP handling improvement 

      Smarter management of global TE Cloud Cache, to increase cached verdict reliability and prevent FP pollution.

      04 Mar 2018 6.14

      Engine: 56.990002262

      IMAGE_READY = 226

       Prohibited file types   - Enables configuration of blocking file type  sk123140

      15 Jan 2018


      15/01/18 - 05/02/18


      Engine: 56.990002053 More info about new revisions: sk122374


      •  Improved detection
        • Added support for 64bit Binaries using live machine learning detection. 64bit Binaries will be emulated on the 64bit images (win 7 64, Win 8.1 64 and Win 10).
      • NEW THREAT EMULATION REPORTS - currently in EA and applied for R80.10 - sk120357
        • Issues from 6.12 that were released as offline only
          • Please see below

         21 Dec 2017

        Only offline


        Engine: 55.990001865

        Images_Ready: 209

        File_Types - TE_FILE_TYPES_MAP

        Version: 38

        • Fixed an issue where the system attempted to emulate non-relevant content types when downloading files from .com domains
        • Support for *.xz file type 
        • Stability improvements
        13 Dec
        6.11.2 Engine: 55.990001820 
        • Fixed issue related to rare condition in private cloud emulation were files are stuck in uploading state in case the first rule in the policy is not installed on the GW.
        22 Nov



        6.11.1 Engine: 55.990001819


        Images_Ready: 208 

        • New Threat Emulation Reports (currently in EA) - please refer to sk120357
          • Embedded-file drill-down - For emulations of archives, droppers, and documents embedding other files: click on any of the embedded/dropped files with malicious verdict to drill down on its emulation report.
          • Graphic attack vector for SMTP
        • Bug fixes and improved detection
          • Fixed an emulation performance issue that affected some customers
          • Improved detection of documents with macros
          • Stability fixes

        06 Nov




        Engine: 55.990001748

        Images_Ready: 207 

        •  New Threat Emulation Reports (currently in EA) - please refer to sk120357
          • Support of Archive files - Reports of archive files display a table listing all files in the archive with an individual verdict for each file
          • Support of "Actions"
            • Contact Check Point Incident Response Team
            • Generate a CSV of the emulation activity timeline
          • Improved Detection of DDE-based attacks

            26 Sep










            • Revolutionized TE reports
              • Beta release - follow sk120357 to enable this feature on R80.10 Security Gateways for PoCs and evaluation.
              • Enriched IOCs – we are extracting many more indicators of compromise from emulation sessions of malicious files and including them in the TE reports.
              • Revised UI and workflow.
                Note: This is work in progress - the new report is not generated by default. The new report can be enabled on R80.10 Security Gateway for PoCs and evaluation.
            • Several improvements to some of TE detection engines
              • Improved machine learning model
              • Reduced number of False Positive

            13 Aug




            • Fixed issue regarding embedded link inspection in Private Threat Cloud environments. 
            • Fixed unnecessary disk space usage on Security Gateways

            09 Aug





            • Minor bug fixes
            • Reduced number of False Positive caused by JS embedded in PDF
            • Early Availability of R80.10 support for SandBlast TE250X, TE1000X, TE2000X appliances:
              • To participate, you need to upgrade the SandBlast TEX appliance to R80.10 and make sure that this TE engine is installed
              • Note: Do not use R80.10 on TE100X model at this point.

              19 July







              More info about new revisions:


              • Performance improvement
                • Improved files processing throughput for Security Gateways sending files to be emulated by SandBlast cloud service or in SandBlast TE appliance deployment. The improvement significantly reduces possible issues caused by queue of files in upload by uploading several files in parallel.
              • Improved detection
                • Improved simulation of user interaction
                • Integration with new network reputation service that contains advanced algorithms for improving malware network activity detection.
              • License enforcement
                • Validate NGTX license for Security Gateways working with TE appliances and for inline TE appliances - applicable for new TE appliance SKUs launched in October 2017 - sk119133
              • Infrastructure for fast OS image update
                • New infrastructure for OS image updates, allowing much smaller updates and much shorter downtime (minutes instead of hours). Image Initialization phase reduced to a few seconds.
              • Updated OS Images 
                The new images include general OS improvements and Creators Update for Windows 10:
                • "Win10 64b,Office 2016,Adobe DC"
                • "Win7,Office 2010,Adobe 9.4"
                • "Win7 64b,Office 2010,Adobe 11"

                  Note: Before upgrading the TE Engine, make sure that you have 160 GB of free disk space!

              06 July





              Fix related to file descriptor leak in logs in R80.10.
              For more details, see sk117672.

              25 June 2017




              • Improved detection by Macro analyzer
              • Support for TLS 1.2 Jumbo HF
              • Reduced scan engine core dumps
              • Reduce False positive
              15 June 2017 6.6.2



              •  General bug fix 
               06 June 2017 6.6.1



              • Security fix: In links inside mail - fix error under load

              23 May 2017







              Scanengine Package:


              Version: 5


              • Multiple Remote
                • Multiple Remote was introduced in engine update 6.5, allowing Security Gateways from separate management SIC domains to connect to the same TE appliance.
                • This updated removes several Multiple Remote limitations:
                  • Multiple Remote now supports VSX gateways
                  • Multiple Remote now supports 64-bit gateways (for more details, refer to sk102309)
              • New configuration options
                • Added the ability to configure the maximum number of files, which are extracted from archive for emulation: 
                  tecli -> advanced -> archive -> extract -> max_extracted_files_limit -> set Number_0-500
              • Ransomware detection
                • Improved detection of ransomware - a new Threat Emulation engine monitors data file tampering within sandbox sessions
              • Important bug fixes
                • Fixed scenarios, in which there are missing screenshots in Threat Emulation reports
                • Added support for UTF-8 file names in archives
                • Cleaned up debug logs in ted.elg

              06 April 2017







              Version: 2



              Version: 4

              • Improvements in Early Verdict for prevent (the early verdict provides partial response when the file is malicious)
              • Improved support for Multiple Private Cloud Appliances - added support for different management domains (sk102309 - section "(9) Configure Security Gateway to use a remote Threat Emulation Private Cloud Appliance that is managed by a different Management Server")
              • Improved detection

              12 March 2017







              Version: 11


              • Windows 10 support - User will be able to emulate non-executable files on Windows 10 64-bit
              • Early Verdict for prevent - The early verdict provides partial response when the file is malicious - sk117168
              • Improve detection:
                • Detection of SHA-1 collision attacks (SHAttered attack - sk116141)
                • Provide detection for PDF with embedded links including phishing attempts
              • tecli command improvement - enable/disable internally supported file types
              • Bug fixes:
                • Reduced false-positives in Macro detection
                • Resolved storage cleanup issues

              19 Feb 2017




              • Ransomware campaigns detection improvement - new file type supported:
                • *.vbs file type in archives attached to e-mail
                • *.wsf file type in archives attached to e-mail
              • R80.10 compatibility - TE Engine will now be able to run across multiple Gaia releases.
              • Bug fixes Bugs fixes related to "Push Forward" that result in error

              16 Jan 2017





              WEM_phase_1 - TE_IMAGE




              WEM_phase_2 - TE_IMAGE



              • New:
              • Additional fixes:
                • Improved stability of CPU Level emulation
                • Reduced emulation errors in CPU Level emulation

              28 Nov 2016




              File_Types - TE_FILE_TYPES_MAP


              Version: 37


              Executable_Analyzer - TE_EXE_ANALYZER

              Version: 471022

              • NEW:
                • Support for *.cpl file type
                • Support for *.vbs, *.jse, *.vba, *.vbe, *.wsf and *.wsh file types in archives attached to e-mail
              • Improved password extraction from e-mail body (special hotfix is required)
              • Performance and quality improvements

              08 Nov 2016




              • Security Fix - classifier fix in order to deal with macro enable Office files
              • Main bug fixes:
                • Engine update - fixed EU6.1 emulator emulating unsupported file types:
                  • Matter reported/reproduced under the following scenarios: unsupported file types sent through API, ICAP client and Security Gateway running Engine Update 6 with unsupported file types inside archive
                • Core in Hotfix with links during stress tests
                • "tecli advanced archive extract ..." commands were deleted in D6.1 - reverted the change
                • Threat Emulation daemon crash that occurs in stress or in scenarios related to password protected archives.

                25 Sep 2016




                • Threat Emulation File Analyzer: sk112312
                  • Files embedded in documents will be extracted and emulated
                  • Ability to block certain embedded files using command line
                  • Documents containing Links (URLs) - reputation will be checked using Check Point ThreatCloud
                • Encrypted archives: sk112821
                  • Attempt to decrypt the commonly used archives using a passwords dictionary
                  • User defined password phrases support
                  • Ability to prevent password protected files in case of decryption failure
                    ("Prevent" action will occur only when Emulation Connection Handling Mode is configured to 'Hold')
                • NEW: Support for *.com, *.iso archive, and *.js file in archives attached to e-mail
                • Independent profile configuration for SandBlast appliance - sending Gateway and SandBlast appliance are not required to carry the same policy
                • Executable machine learning detection engine improvements
                • In total: 110+ bug fixes and quality improvements

                25 Jul 2016




                • Added support for SHA-256 based certificates for Threat Emulation Engine self-update (sk103839, sk113333)

                13 Jun 2016




                • Check Point response to CVE-2016-3712 and CVE-2016-3710 vulnerability in QEMU
                • Bug fix in update routine for VSX deployments

                25 Apr 2016





                UID: 3FF3DDAE-E7FD-4969-818C-D5F1A2BE336D, Revision: 14

                UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 22

                UID: 6c453c9b-20f7-471a-956c-3198a868dc92, Revision: 15

                UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 53

                UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 24

                UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 53

                • NEW: 64-bit OS images - Windows 8.1 and Windows 7
                • NEW: Detecting links to malicious files inside e-mails (refer to sk115313)
                • NEW: SMEP Detection - detect privilege escalation attempts
                • NEW: Support for *.gz and *.bz2 archives
                • Improved file classification
                • Enhanced malicious executable detection:
                  • User Access Control - Detect malicious attempts to bypass the Windows UAC mechanism
                  • Icon similarity - Detect executables whose program icon is similar to known application documents
                  • Machine learning detection engine improvements
                • Deep scan:
                  • Significant memory usage reduction for Anti-Virus deep scan (requires a hotfix - will be available soon)
                  • Integrated additional deep scan capabilities in TE
                • Images initialization duration improvements
                • Bug fixes and quality improvements:
                  • CPU-level engine - reduced FPs, improved stability
                  • Solved cluster fail overs due to TE blade
                  • Improved JAR static analysis
                • In total: 190+ features and bug fixes

                17 Apr 2016




                • Update routine improvements

                20 Jan 2016




                • Check Point response to CVE-2016-1714 - see sk109700

                16 Nov 2015



                [8 Dec]: 44.990000107

                [16 Nov]: 44.990000099


                UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

                UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 50

                UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 20

                UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 22

                • NEW: Optimized OS images for improved detection
                • NEW: recommended OS image carrying up-to-date software for enhanced detection
                • Bug fixes and quality improvements:
                  • Confidence level for executable files
                  • Performance degradation when using Hybrid mode

                25 Aug 2015



                [7 Sep]: 43.990000082

                [25 Aug]: 43.990000078


                UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

                UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 49

                UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 19

                UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 21

                • NEW: CPU level Threat Prevention:
                  • Supported on TE100X, TE250X, TE1000X and TE2000X appliances
                  • Hotfix from sk107333 may be required after updating the engine
                • NEW: Support for *.pif file type
                • Improvements in detection ratio
                • Bug fixes and quality improvements

                30 Jul 2015





                UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 45

                UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 47

                UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 17

                UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 19

                • NEW: Public API for emulation services
                • NEW: Network based detection
                • NEW: Threat Cloud advisory
                • NEW: Support for *.cab and *.tgz archives
                • NEW: Full ZIP archive scanning
                • NEW: Dropped files emulation
                • Improvements in detection ratio of *.exe
                • Improvements in stability - persistent file emulation queue
                • Bug fixes and performance improvements

                14 May 2015




                • Check Point response to CVE-2015-3456 (VENOM) - see sk106060

                15 Feb 2015





                UID: 5e5de275-a103-4f67-b55b-47532918fa59, Revision: 15

                UID: 7e6fe36e-889e-4c25-8704-56378f0830df, Revision: 45

                UID: 8d188031-1010-4466-828b-0cd13d4303ff, Revision: 16

                UID: e50e99f3-5963-4573-af9e-e3f4750b55e2, Revision: 44

                • NEW: Support for Flash file type
                • NEW: Support for Java file type
                • Improvements in detection of *.exe and *.scr files by adding behavioral features and using a decision mechanism that is based on a machine learning model
                • VSX improvements
                • Support for SHA256 as part of the logging information
                • Added the TTL mechanism to the local cache on the Security Gateway
                • Bug fixes

                03 Sep 2014



                • NEW: Support of Multiple Private Cloud Appliances - see sk102309
                • NEW: Support for *.scr file type
                • NEW: Skipping emulation for known good files according do domains and certificates
                • New version of the Static analysis mechanism
                • Stability fixes - Enhanced handling of files, which generate extensive forensics data/reports

                27 Apr 2014



                • NEW: Support for archive caching
                • NEW: Support for dropping of archive files that contain certain file types
                • NEW: Better file classification abilities
                • NEW: Enhanced detection of emulation process tampering
                • Stability fix - Possible memory leak in certain circumstances

                06 Feb 2014



                • NEW: Support for executable emulation
                • NEW: Support for archives (ZIP, RAR, TAR and 7z)
                • NEW: Anti-evasion capabilities against malware that tries to detect its execution in a sandbox
                • NEW: Better detection capabilities
                • Stability fixes

                29 Dec 2013



                • NEW: Support for GEO restriction (for details, refer to sk97877)
                • Stability fix for supporting new emulation images
                • Stability fix for the Engine Update itself

                25 Nov 2013



                • Gradual upgrade support
                • Stability fix for Local Emulations - when using large number of emulation machines (more than 33), the emulation machines will stop responding
                • Fixed a condition where DNS resolving can cause emulations to fail

                13 Oct 2013



                • Fixing a possible bug in communication from Security Gateway to Cloud

                02 Oct 2013



                • Stability fix for the Emulators of local and private cloud when dealing with malicious files
                • More efficient Cloud Service communication
                • Enhancing availability and stability of the Cloud Service
                • Fixed confusing log events in the SmartView Tracker


                Related solutions:

                Give us Feedback
                Please rate this document