topic Re: Event handling on ThreatEmulation detecting malicious files? in Firewall and Security Management

Event handling on ThreatEmulation detecting malicious files?

Danny — Tue, 17 Nov 2020 11:03:48 GMT

How does Check Point notify me if I download an executable that is subsequently detected as malicious by ThreatEmulation?

Note:

Check Point ThreatPrevention uses the Optimized profile "by default, because it gives excellent security with good gateway performance."
The default handling mode of this profile is Rapid Delivery (formerly known as Background Mode).

This means the connection is allowed and the file goes to the destination even if the emulation is not finished, i.e. the gateway sends the original file to the user (even if it turns out eventually that the file is malicious).

When using Threat Extraction together with Threat Emulation it's best practice to switch to Maximum Protection (formerly known as Hold Mode). However, the Optimized profile does not automatically check and adjust accordingly.

So when Check Point delivered a file to the end user and later detects that the file was malicious.. what happens?

Will I receive an immdiate notification about this? This is critical as a malicious file was successfully downloaded.
Is an event being generated? How do I know about this?
Which SmartEvent view would allow me to check how many times such situations occured within the last 30 days?

Thanks for replying!

Re: Event handling on ThreatEmulation detecting malicious files?

Joshua — Thu, 10 Dec 2020 10:32:16 GMT

I would also be interested in this.

Re: Event handling on ThreatEmulation detecting malicious files?

Shiran_Gold — Wed, 16 Dec 2020 10:08:12 GMT

Hey Danny,

Please see answers below:

Q: Will I receive an immdiate notification about this? This is critical as a malicious file was successfully downloaded.
A: Notification will not be sent by default, see next answer for instructions how to configure such notification.

(a Detect log will be generated with a reason for file passion (GW is configured as Rapid delivery)

Q: Is an event being generated? How do I know about this?
A: in order to get a notification, we can create custom event in SmartEvent, it will be created and send notification when a log with action detect and verdict malicious will be created by Threat Emulation:

- Open SmartConsole and go to Logs and Monitor view

- Open New Tab

- At the bottom-left side menu click on :

- SmartEvent GUI will be opened

- Go to Legacy – ThreatPrevention – Right click on ThreatEmulation ad configure the conditions as followed:

Click on Save as

After creating this event, you can configure automatic reaction (for more details please refer to logging and monitoring admin guide : https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Automatic-Reactions.htm?Highlight=automatic%20reaction)

Q:Which SmartEvent view would allow me to check how many times such situations occurred within the last 30 days?
A: I have created a view for this propose (attached), in this view you’ll be able to see all files were detected with verdict malicious (you can also use the same filter in log search – Blade:ThreatEmulation AND verdict: Malicious and action: Detect).

The view contain a table with source, destination, filename, Severity, Confidence Level, and you can add/remove other fields according to environment needs.

Hope I was able to assist.

Let me know if further information is required.

Have a nice day,

Shiran