https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52151#M13348 Tell me about this one: EP Antibot downloads a .tar file from secureupdates.checkpoint.com that results in 'detect', reason: file size exceeded size limit, if this is whitelisted then why is the file size limit reached. Mon, 29 Apr 2019 15:21:19 GMT Dan_Roddy 2019-04-29T15:21:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52002#M13344 <P>The following domains deliver files to our client Windows 10 workstations and mobile Surface books that are continuously Emulated despite my efforts to bypass emulation.&nbsp; I do not consider files that deliver windows updates, checkpoint updates, symantec updates and others to be risky and emulating them is using unnecessary resources of time and licensing.&nbsp; Has anyone tried to bypass cloud emulation for these domains?</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P><P>Dan&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 26 Apr 2019 21:54:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52002#M13344 Dan_Roddy 2019-04-26T21:54:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52021#M13345 <P><SPAN>Does the source in the emulation log say "Trusted Source" ?</SPAN></P> <P><SPAN>Some of those "domains" or "services" you mention shouldn't actually result in the file being sent out to the cloud for emulation thanks to a global white list.&nbsp;</SPAN></P> <P>&nbsp;</P> Sat, 27 Apr 2019 09:33:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52021#M13345 Chris_Atkinson 2019-04-27T09:33:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52147#M13346 Thanks for the reply Chris, Yes for liveupdate.symantecliveupdate.com does show trusted source and benign verdict. But in this case, the file being emulated is a 7z filetype and all indications are the file is emulated. Also, I have Office templates in .cab files and also windowsupdate .cab (trused source:yes) and all these show 'analyzed_on' Check Point Threat Cloud. Where is the whitelist? Mon, 29 Apr 2019 14:51:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52147#M13346 Dan_Roddy 2019-04-29T14:51:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52148#M13347 Another candidate for whitelisting is 'content.ivanti.com'. Ivanti has a patching application and they deliver windows patch files in .zip files. These file are extracted and deliver a benign verdict for every file in the zip. Multiply all these patch file by the number of workstations and you can see why our emulation file count per month is quite high. Can this work as advertised? Won't all these patch files from Microsoft have the same hash value? Mon, 29 Apr 2019 14:59:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52148#M13347 Dan_Roddy 2019-04-29T14:59:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52151#M13348 Tell me about this one: EP Antibot downloads a .tar file from secureupdates.checkpoint.com that results in 'detect', reason: file size exceeded size limit, if this is whitelisted then why is the file size limit reached. Mon, 29 Apr 2019 15:21:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-Cloud-Threat-Emulation/m-p/52151#M13348 Dan_Roddy 2019-04-29T15:21:19Z