24-Dec-18

Deployment

24/12-

Engine:58.990000164

More info about new revisions: sk135413

New Features:

• Expanded Anti-Virus via Threat Prevention API support for local Threat Emulation appliances and Threat Prevention API for Anti-Virus deep scans. The new feature provides the ability to run a full AV Deep-scan using a Threat Emulation appliance. For additional details and instructions. refer to the the Threat Prevention API Reference Guide. 

• Policy Restriction Handling Control system behavior. By applying user defined restrictions, the following restriction would be supported: o Archive extraction error – Define and handle archive relate policies. o Max number of files - Define max number of files the system archive.

• Dynamic Detection Machine Learning. Adds a machine learning model that uses dynamic emulation output, specifically the API calls performed by the analyzed executable, to detect malware. It uses machine-generated features as well as sophisticated features hand-crafted by domain experts and world-class malware researchers, and leverages and constantly updates state of the art anti-evasion techniques. The machine learning is trained frequently on real production data, making its relevant, customer-facing detection rate superior to previous generations of dynamic detection schemes while maintaining a very low false discovery rate. It is the most important component of our in-house detection capabilities.

• Licensing Enforcement starting with Threat Emulation engine version 7.9. The Gateway device will also now validate the existence of a valid NGTX license when using a SandBlast appliance for emulation. However, there are some exceptions. so refer to sk140212 for details.

Improvements and Enhancements:

• Customized YARA signatures: Enable deployment of dynamic custom behavioral in the Gateway. 

• Improve detection of URL reputation by adding context data to URL rep request and identifying the file that caused the activity.

18-Nov-18

Deployment

18/11- 12/12 

More info about new revisions:

sk135413

• Introducing new detection engine - IP reputation -Preemptively reject requests that are coming from or sent to IP addresses marked as malicious, by Check Point's constant malware research activities. This engine is protocol agnostic and can detect and prevent any communication protocol.
• Introducing CADET for local emulation - CADET (Context-Aware Detection and Elimination of Threats), Check Point's newest and successfully proven AI-based technology, is now available across all SandBlast deployment options (cloud and on premise). Check Point's CADET technology continuously evolves and adapts to the changing threat landscape using machine learning to offer best in the market detection accuracy.
• Threat emulation reports now include traffic capture logs. A detailed traffic log is now available for download directly from the emulation reports, allowing users visibility of suspicious network traffic generated by examined files.
• New Threat Emulation reports are now available via a consolidated API: a newly aligned and consolidated public API for new Threat Emulation reports for both cloud and premise (appliance) environments.
• Note: backwards compatibility is supported using the "reports_version_number" field. Additional information is available in the Threat Prevention API documentation: Threat Prevention API 1.0 Reference Guide.

15 Oct 2018

Deployment

15/10 - 26/11

Engine:57.990004002

More info about new revisions:

sk135413

•  New AI powered detection engines for malware detection in documents: Our Machine just learned how to improve detection accuracy in documents. The technique used includes a combination of our techniques for CPUL and OS level emulation and machine learning algorithms to improve significantly the detection accuracy while reducing false positives. Please note that the new AI Model will initially be deployed in Threat Prevention cloud only. On-premise deployments will be supported in a later release.
• R80.10 (JHF 151) supported by TEX appliances. Support for DLL files in TE (requires Image revision 247). DLL files are emulated in a way similar as in executable files.

• Improved detection using behavioral machine learning to detect threats in executable files. Advanced automated machine learning using millions of samples to improve the accuracy of the executable behavioral machine learning detection. 
• Detection Improvement - CADET – updated machine learning model for executable files.  Incorporates new data sources from our latest engine improvement into the decision making of Cadet. This allows improvement in detection accuracy.
• Introducing a new detection engine that examines files similarity. This allows for better classification of malware family to understand the nature of the attack.
• Update frequency algorithm improved (more frequent updates).

• Improved performance of TE GC (cleanup script).
• Bug fixes: Fixed an issue that caused TE to restart when the cache is full. 

Deployment

7/10-14/10 

• Remove writing to cloud emulator local cache.
• Changed check for update frequency.
• Released to cloud emulators (not to gateways).

28 Sep 2018

Deployment 

28/9 - 29/9

Engine:57.990002817

• Changed check for update frequency
• Released to gateways (not to cloud emulators).

4 Sep 2018

Deployment 

3/9 - 26/9

Engine:57.990002814

More info about new revisions:

sk135413

•  TE Local Emulation for version R80.20 has been changed to version R80.20 GA.
• Fixed an issue with licensing that caused some emulators not to use the full capacity.

13 Aug 2018

Deployment

13/8 - 28/8

Engine:57.990002774

(Cloud 572772)

IMAGE-READY = 234

29/-Jul_18

Deployment

29/7 - 9/8

*****

Revert Engine to 7.2 :57.990002736

Only for part of the appliances

********

Engine:57.990002731

IMAGE-READY = 234

•  NEW SandBlast Threat Emulation report. For specific availability details, refer to sk120357
•  Error Granularity Manager. For more information, refer to sk132492

08-Jul-2018

Deployment 

8/7 - 19/7 

Engine:57.990002686

*****

Revert Engine :57.990002736

********

IMAGE-READY = 234

 • Add support for macOS file types to both SandBlast Emulation Cloud and locally. For more details see sk130652

• Return low confidence in case only few events were seen during emulation of documents.

14-Jun-2018

Deployment: 25/6 - 5/7

Engine:57.990002630

IMAGE-READY = 234

• Apply YARA rules to file types supported by TE. For more details see sk123156.

• Added new supported file types : PowerShell (.ps1) and Batch files (.bat)
• Added new supported file types following recent campaigns: SYmbolic LinK files (.slk ) and Excel Web Query file (.iqy)
• Cache Purger - a mechanism which reduces FP rate for cloud customers (GWs which use the "sharing" feature will also benefit from this mechanism).
• Avoiding the scenario where TE stops emulation while the logs continue to write to disk and thus the emulation enters fail mode. For more details see sk124712

Engine:57.990002566

IMAGE-READY = 234

• CADET (Context-Aware Detection and Elimination of Threats)

1. CADET improves Threat Emulation precision by incorporating all existing Threat Emulation features in Machine Learning (ML) mode. ML is tuned to improve accuracy, increasing the number of threats detected and reducing the number of false positives.
2.  Currently, CADET focuses on executable files, and applies only to cloud emulations. 

• Threat Prevention by file source URL.
• Improved Static Macro analyzer. Improved detection of malicious macros in Office documents.
• Improved executable file analysis performance by approximately 40%.
• YARA for all file support – Early Availability. This feature is currently off by default. 
• New anti-evasion techniques. 
• Additional features in Threat Emulation reports:

1. Added tecli command for configuring the malicious file password.
2.  Added HTTP attack vector which includes the download source URL and its reputation.
3. Added time stamp to the attack vector.
4.  Added the option to download packet capture.
5.  Show the entire file path for archive/dropped/embedded descendants.
6.  Show emulation video instead of static screenshots.

• Improved Cloud Emulation queue wait time by approximately 50%.

Engine:

56.990002329

IMAGE_READY = 234

 • Added support for .bat and .cmd files that arrive in mail attachments.

These file types are not available in the Threat Emulation Supported File Types menu.

• Detection improvements and FP reduction

Introduced advanced human simulation – Threat Intelligence group has observed many files in the wild that were using a new evasion technique (implementation in images rev. 234)

• CADET for executable files only – silent mode o

Cadet aims to improve Threat Emulation precision on executable files by transferring all of existing TE features (such as emulation results, reputation, and others) to a AI model tuned to improve accuracy – increase detection and reduce false positive. Cadet is focused preliminary on executable files, and will apply only for cloud emulations at this first stage.

Cadet is currently being deployed in Silent mode – meaning it does not change the verdict on TE.

• FP handling improvement 

Smarter management of global TE Cloud Cache, to increase cached verdict reliability and prevent FP pollution.

Engine: 56.990002262

IMAGE_READY = 226

15 Jan 2018

Deployment:

15/01/18 - 05/02/18

Engine: 56.990002053 More info about new revisions: sk122374

•  Improved detection
  • Added support for 64bit Binaries using live machine learning detection. 64bit Binaries will be emulated on the 64bit images (win 7 64, Win 8.1 64 and Win 10).
• NEW THREAT EMULATION REPORTS - currently in EA and applied for R80.10 - sk120357
• Issues from 6.12 that were released as offline only
  
  • Please see below

 21 Dec 2017

Only offline

Engine: 55.990001865

Images_Ready: 209

File_Types - TE_FILE_TYPES_MAP

Version: 38

• Fixed an issue where the system attempted to emulate non-relevant content types when downloading files from .com domains
• Support for *.xz file type 
• Stability improvements

• Fixed issue related to rare condition in private cloud emulation were files are stuck in uploading state in case the first rule in the policy is not installed on the GW.

Images_Ready: 208 

• New Threat Emulation Reports (currently in EA) - please refer to sk120357
  • Embedded-file drill-down - For emulations of archives, droppers, and documents embedding other files: click on any of the embedded/dropped files with malicious verdict to drill down on its emulation report.
  • Graphic attack vector for SMTP
• Bug fixes and improved detection
  • Fixed an emulation performance issue that affected some customers
  • Improved detection of documents with macros
  • Stability fixes

06 Nov
2017

Engine: 55.990001748

Images_Ready: 207 

•  New Threat Emulation Reports (currently in EA) - please refer to sk120357
  • Support of Archive files - Reports of archive files display a table listing all files in the archive with an individual verdict for each file
  • Support of "Actions"
    • Contact Check Point Incident Response Team
    • Generate a CSV of the emulation activity timeline
• Improved Detection of DDE-based attacks

26 Sep
2017

Engine:

55.990001702

Executable_Analyze:

541553

Images_Ready:

204

• Revolutionized TE reports
  • Beta release - follow sk120357 to enable this feature on R80.10 Security Gateways for PoCs and evaluation.
  • Enriched IOCs – we are extracting many more indicators of compromise from emulation sessions of malicious files and including them in the TE reports.
  • Revised UI and workflow.
    Note: This is work in progress - the new report is not generated by default. The new report can be enabled on R80.10 Security Gateway for PoCs and evaluation.
• Several improvements to some of TE detection engines
  • Improved machine learning model
  • Reduced number of False Positive

13 Aug
2017

Engine:

54.990001557

• Fixed issue regarding embedded link inspection in Private Threat Cloud environments. 
• Fixed unnecessary disk space usage on Security Gateways

09 Aug
2017

Engine:

54.990001312

• Minor bug fixes
• Reduced number of False Positive caused by JS embedded in PDF
• Early Availability of R80.10 support for SandBlast TE250X, TE1000X, TE2000X appliances:
  • To participate, you need to upgrade the SandBlast TEX appliance to R80.10 and make sure that this TE engine is installed
  • Note: Do not use R80.10 on TE100X model at this point.

19 July
2017

Engine:

54.990001309

More info about new revisions:

sk119144

• Performance improvement
  • Improved files processing throughput for Security Gateways sending files to be emulated by SandBlast cloud service or in SandBlast TE appliance deployment. The improvement significantly reduces possible issues caused by queue of files in upload by uploading several files in parallel.
• Improved detection
  • Improved simulation of user interaction
  • Integration with new network reputation service that contains advanced algorithms for improving malware network activity detection.
• License enforcement
  • Validate NGTX license for Security Gateways working with TE appliances and for inline TE appliances - applicable for new TE appliance SKUs launched in October 2017 - sk119133
• Infrastructure for fast OS image update
  • New infrastructure for OS image updates, allowing much smaller updates and much shorter downtime (minutes instead of hours). Image Initialization phase reduced to a few seconds.
• Updated OS Images 
  The new images include general OS improvements and Creators Update for Windows 10:
  • "Win10 64b,Office 2016,Adobe DC"
  • "Win7,Office 2010,Adobe 9.4"
  • "Win7 64b,Office 2010,Adobe 11"
    
    Note: Before upgrading the TE Engine, make sure that you have 160 GB of free disk space!

06 July
2017

Engine:

54.990001252

Fix related to file descriptor leak in logs in R80.10.
For more details, see sk117672.

25 June 2017

Engine:

54.990001250

• Improved detection by Macro analyzer
• Support for TLS 1.2 Jumbo HF
• Reduced scan engine core dumps
• Reduce False positive

Engine:

54.990001196

•  General bug fix 

Engine:

54.990001195

• Security fix: In links inside mail - fix error under load

23 May 2017

Engine:

54.990001194

UID:

Scanengine Package:

64696D61-A095-47E8-B819-3A3A9FF7FC66

Version: 5

• Multiple Remote
  • Multiple Remote was introduced in engine update 6.5, allowing Security Gateways from separate management SIC domains to connect to the same TE appliance.
  • This updated removes several Multiple Remote limitations:
    • Multiple Remote now supports VSX gateways
    • Multiple Remote now supports 64-bit gateways (for more details, refer to sk102309)
• New configuration options
  • Added the ability to configure the maximum number of files, which are extracted from archive for emulation: 
    tecli -> advanced -> archive -> extract -> max_extracted_files_limit -> set Number_0-500
• Ransomware detection
  • Improved detection of ransomware - a new Threat Emulation engine monitors data file tampering within sandbox sessions
• Important bug fixes
  • Fixed scenarios, in which there are missing screenshots in Threat Emulation reports
  • Added support for UTF-8 file names in archives
  • Cleaned up debug logs in ted.elg

06 April 2017

Engine:

54.990001153

UID:

9B2ACBA1-70C0-4C32-AA7F-03F85F67DB09

Version: 2

UID:

10B4A9C6-E414-425C-AE8B-FE4DD7B25244

Version: 4

• Improvements in Early Verdict for prevent (the early verdict provides partial response when the file is malicious)
• Improved support for Multiple Private Cloud Appliances - added support for different management domains (sk102309 - section "(9) Configure Security Gateway to use a remote Threat Emulation Private Cloud Appliance that is managed by a different Management Server")
• Improved detection

12 March 2017

6.4

Engine:

53.990001139

UID:

10B4A9C6-E414-425C-AE8B-FE4DD7B25244

Version: 11

• Windows 10 support - User will be able to emulate non-executable files on Windows 10 64-bit
• Early Verdict for prevent - The early verdict provides partial response when the file is malicious - sk117168
• Improve detection:
  
  • Detection of SHA-1 collision attacks (SHAttered attack - sk116141)
  • Provide detection for PDF with embedded links including phishing attempts
• tecli command improvement - enable/disable internally supported file types
• Bug fixes:
  
  • Reduced false-positives in Macro detection
  • Resolved storage cleanup issues

19 Feb 2017

6.3

Engine:

51.990001127

• Ransomware campaigns detection improvement - new file type supported:
  
  • *.vbs file type in archives attached to e-mail
  • *.wsf file type in archives attached to e-mail
• R80.10 compatibility - TE Engine will now be able to run across multiple Gaia releases.
• Bug fixes Bugs fixes related to "Push Forward" that result in error

16 Jan 2017

6.2

Engine:

48.990000062

WEM_phase_1 - TE_IMAGE

1AFBDE2E-D593-45A8-A686-6CBD42F37823

Version:2

WEM_phase_2 - TE_IMAGE

1B0C5014-714D-47F3-9B10-0B7EE386E745

Version:2

• New:
  
  • "Push Forward" emulation (sk115376)
  • Malicious Macro detection (sk115418)
• Additional fixes:
  
  • Improved stability of CPU Level emulation
  • Reduced emulation errors in CPU Level emulation

28 Nov 2016

6.1.2

Engine:

47.990001022

File_Types - TE_FILE_TYPES_MAP

779739FA-FDB7-473A-9688-8EFAF60A05C2

Version: 37

Executable_Analyzer - TE_EXE_ANALYZER

Version: 471022

• NEW:
  
  • Support for *.cpl file type
  • Support for *.vbs, *.jse, *.vba, *.vbe, *.wsf and *.wsh file types in archives attached to e-mail
• Improved password extraction from e-mail body (special hotfix is required)
• Performance and quality improvements

08 Nov 2016

6.1.1

Engine:

47.990001008

• Security Fix - classifier fix in order to deal with macro enable Office files
• Main bug fixes:
  
  • Engine update - fixed EU6.1 emulator emulating unsupported file types:
    
    • Matter reported/reproduced under the following scenarios: unsupported file types sent through API, ICAP client and Security Gateway running Engine Update 6 with unsupported file types inside archive
  • Core in Hotfix with links during stress tests
  • "tecli advanced archive extract ..." commands were deleted in D6.1 - reverted the change
  • Threat Emulation daemon crash that occurs in stress or in scenarios related to password protected archives.

25 Sep 2016

6.1

Engine:

47.990000102

• Threat Emulation File Analyzer: sk112312
  • Files embedded in documents will be extracted and emulated
  • Ability to block certain embedded files using command line
  • Documents containing Links (URLs) - reputation will be checked using Check Point ThreatCloud
• Encrypted archives: sk112821
  
  • Attempt to decrypt the commonly used archives using a passwords dictionary
  • User defined password phrases support
  • Ability to prevent password protected files in case of decryption failure
    ("Prevent" action will occur only when Emulation Connection Handling Mode is configured to 'Hold')
• NEW: Support for *.com, *.iso archive, and *.js file in archives attached to e-mail
• Independent profile configuration for SandBlast appliance - sending Gateway and SandBlast appliance are not required to carry the same policy
• Executable machine learning detection engine improvements
• In total: 110+ bug fixes and quality improvements

25 Jul 2016

6.0.2

Engine:

46.990000189

• Added support for SHA-256 based certificates for Threat Emulation Engine self-update (sk103839, sk113333)

13 Jun 2016

6.0.1

Engine:

46.990000187

• Check Point response to CVE-2016-3712 and CVE-2016-3710 vulnerability in QEMU
• Bug fix in update routine for VSX deployments

25 Apr 2016

6

Engine:

46.990000181

Images:

UID: 3FF3DDAE-E7FD-4969-818C-D5F1A2BE336D, Revision: 14

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 22

UID: 6c453c9b-20f7-471a-956c-3198a868dc92, Revision: 15

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 53

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 24

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 53

• NEW: 64-bit OS images - Windows 8.1 and Windows 7
• NEW: Detecting links to malicious files inside e-mails (refer to sk115313)
• NEW: SMEP Detection - detect privilege escalation attempts
• NEW: Support for *.gz and *.bz2 archives
• Improved file classification
• Enhanced malicious executable detection:
  
  • User Access Control - Detect malicious attempts to bypass the Windows UAC mechanism
  • Icon similarity - Detect executables whose program icon is similar to known application documents
  • Machine learning detection engine improvements
• Deep scan:
  
  • Significant memory usage reduction for Anti-Virus deep scan (requires a hotfix - will be available soon)
  • Integrated additional deep scan capabilities in TE
• Images initialization duration improvements
• Bug fixes and quality improvements:
  
  • CPU-level engine - reduced FPs, improved stability
  • Solved cluster fail overs due to TE blade
  • Improved JAR static analysis
• In total: 190+ features and bug fixes

17 Apr 2016

5.1.1.1

Engine:

44.990000115

• Update routine improvements

20 Jan 2016

5.1.1

Engine:

44.990000110

• Check Point response to CVE-2016-1714 - see sk109700

16 Nov 2015

5.1

Engine:

[8 Dec]: 44.990000107

[16 Nov]: 44.990000099

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 50

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 20

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 22

• NEW: Optimized OS images for improved detection
• NEW: recommended OS image carrying up-to-date software for enhanced detection
• Bug fixes and quality improvements:
  
  • Confidence level for executable files
  • Performance degradation when using Hybrid mode

25 Aug 2015

5

Engine:

[7 Sep]: 43.990000082

[25 Aug]: 43.990000078

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 47

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 49

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 19

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 21

• NEW: CPU level Threat Prevention:
  
  • Supported on TE100X, TE250X, TE1000X and TE2000X appliances
  • Hotfix from sk107333 may be required after updating the engine
• NEW: Support for *.pif file type
• Improvements in detection ratio
• Bug fixes and quality improvements

30 Jul 2015

4.1

Engine:

24.990000258

Images:

UID: E50E99F3-5963-4573-AF9E-E3F4750B55E2, Revision: 45

UID: 7E6FE36E-889E-4C25-8704-56378F0830DF, Revision: 47

UID: 5E5DE275-A103-4F67-B55B-47532918FA59, Revision: 17

UID: 8D188031-1010-4466-828B-0CD13D4303FF, Revision: 19

• NEW: Public API for emulation services
• NEW: Network based detection
• NEW: Threat Cloud advisory
• NEW: Support for *.cab and *.tgz archives
• NEW: Full ZIP archive scanning
• NEW: Dropped files emulation
• Improvements in detection ratio of *.exe
• Improvements in stability - persistent file emulation queue
• Bug fixes and performance improvements

14 May 2015

4.0.1

Engine:

24.990000010

• Check Point response to CVE-2015-3456 (VENOM) - see sk106060

15 Feb 2015

4

Engine:

24.990000009

Images:

UID: 5e5de275-a103-4f67-b55b-47532918fa59, Revision: 15

UID: 7e6fe36e-889e-4c25-8704-56378f0830df, Revision: 45

UID: 8d188031-1010-4466-828b-0cd13d4303ff, Revision: 16

UID: e50e99f3-5963-4573-af9e-e3f4750b55e2, Revision: 44

• NEW: Support for Flash file type
• NEW: Support for Java file type
• Improvements in detection of *.exe and *.scr files by adding behavioral features and using a decision mechanism that is based on a machine learning model
• VSX improvements
• Support for SHA256 as part of the logging information
• Added the TTL mechanism to the local cache on the Security Gateway
• Bug fixes

03 Sep 2014

Engine:

• NEW: Support of Multiple Private Cloud Appliances - see sk102309
• NEW: Support for *.scr file type
• NEW: Skipping emulation for known good files according do domains and certificates
• New version of the Static analysis mechanism
• Stability fixes - Enhanced handling of files, which generate extensive forensics data/reports

27 Apr 2014

Engine:

• NEW: Support for archive caching
• NEW: Support for dropping of archive files that contain certain file types
• NEW: Better file classification abilities
• NEW: Enhanced detection of emulation process tampering
• Stability fix - Possible memory leak in certain circumstances

06 Feb 2014

Engine:

• NEW: Support for executable emulation
• NEW: Support for archives (ZIP, RAR, TAR and 7z)
• NEW: Anti-evasion capabilities against malware that tries to detect its execution in a sandbox
• NEW: Better detection capabilities
• Stability fixes

29 Dec 2013

Engine:

• NEW: Support for GEO restriction (for details, refer to sk97877)
• Stability fix for supporting new emulation images
• Stability fix for the Engine Update itself

25 Nov 2013

Engine:

• Gradual upgrade support
• Stability fix for Local Emulations - when using large number of emulation machines (more than 33), the emulation machines will stop responding
• Fixed a condition where DNS resolving can cause emulations to fail

13 Oct 2013

Engine:

• Fixing a possible bug in communication from Security Gateway to Cloud

02 Oct 2013

Engine:

• Stability fix for the Emulators of local and private cloud when dealing with malicious files
• More efficient Cloud Service communication
• Enhancing availability and stability of the Cloud Service
• Fixed confusing log events in the SmartView Tracker