topic Re: Threat Emulation and Threat Extraction testing resources in Firewall and Security Management

Threat Emulation and Threat Extraction testing resources

Don_Paterson — Thu, 08 Jan 2026 20:58:39 GMT

Is there a documented public test/procedure that can be used to test the TE and TEX blades?

I am thinking a site hosting testing files (benign) that will generate logs. Meaning that the blades will work with the files downloaded through the gateway, emulating and scrubbing.

Also useful/favourite commands, e.g.

cpview

tecli show statistics

cpstat threat-emulation -f general_statuses

cpstat threat-emulation -f contract

tecli show cloud quota

nslookup -query=SRV te.checkpoint.com

Note:

Please do not suggest CPCHECKME

Re: Threat Emulation and Threat Extraction testing resources

Lesley — Thu, 08 Jan 2026 21:51:58 GMT

This will be a challenge. There are some ''fake'' test virus out there like EICAR. But all vendors are already aware. I would build something in vmware, isolate it from the rest and use this as a test case to download and receive e-mails. EICAR you can send as attachment, then atleast you know you configured the basics correctly. If it arrives at the client you know something is up. Not sure if the e-mail provider will send it tho.

Or what do you think something like this? https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-simulations?view=o365-worldwide

Re: Threat Emulation and Threat Extraction testing resources

the_rock — Thu, 08 Jan 2026 23:44:03 GMT

Excellent post, Don. Im not personally aware of any other site, other than eicar, but would be awesome if this could be tested.

Re: Threat Emulation and Threat Extraction testing resources

Tom_Hinoue — Fri, 09 Jan 2026 00:48:52 GMT

I usually test in lab using a test Word file (demo.doc) that was available when there was a test link for Threat Emulation in ThreatWiki. Does any one remember it? 🤔

I'm still wondering why the test link was removed from the site...

Re: Threat Emulation and Threat Extraction testing resources

the_rock — Fri, 09 Jan 2026 00:50:30 GMT

O yea, thats right, I remember that.

Re: Threat Emulation and Threat Extraction testing resources

Don_Paterson — Fri, 09 Jan 2026 09:32:27 GMT

Thanks @Lesley

I think that is more about testing Microsoft Defender security.

It would be nice to have an official test procedure (plus resources) that Check Point documents and maintains (outside of PoC and Partner demo (DemoPoint) tools).

I have found these two links and done minimal testing.

The results are good because they show that TE is working and scanning files. It finds malware and logs it, and it is not a Check Point associated repo (added bonus in this case).

https://github.com/rakeshcorp/sandbox-samples/tree/master/anti-vm

https://github.com/ytisf/theZoo - Use carefully, lab only

Time permitting I will look into this some more and see what can be used and added in here.

Re: Threat Emulation and Threat Extraction testing resources

Chris_Atkinson — Fri, 09 Jan 2026 12:36:22 GMT

I'm checking current accessibility but cpcheckme previously assisted in this regard.

Re: Threat Emulation and Threat Extraction testing resources

Don_Paterson — Fri, 09 Jan 2026 12:24:34 GMT

Thanks Chris.

But that is in my avoid list.

CPCHECKME underwent the big makeover last year and it changed the way it worked (end user experience).

Also broke the CTPS course lab steps that used it before.

Long story short. I always had problems with it and had to use Firefox to be sure it would work. Then it got a facelist and because it is a Marketing department tool the message was - too bad, don't use it in labs.

That's my honest view. So I am looking for more valid technical testing tools.

Re: Threat Emulation and Threat Extraction testing resources

Don_Paterson — Fri, 09 Jan 2026 12:29:31 GMT

Another point.

It is http://checkme.checkpoint.com and not cpcheckme.... All part of the makeover....

Right now it is http (as above) and NOT https.

Not at all confusing..

Re: Threat Emulation and Threat Extraction testing resources

Don_Paterson — Fri, 09 Jan 2026 12:44:26 GMT

That note I added to not suggest CPCHECKME/CHECKME was to avoid this noise.

I just ran it and it triggers IPS, AV and AB but not TE and TEX.

That made it great for CTPS course labs because those first three blades are covered in that course.

Putting the training aside, the real-world testing would want to cover all the blades and offer a few examples of each.

Re: Threat Emulation and Threat Extraction testing resources

Don_Paterson — Fri, 09 Jan 2026 12:41:14 GMT

The Endpoint executable download test triggers TE on the gateway but it was the Endpoint test and not the Network test..