- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?
Threat Extraction Datasheet & Technology
Mail Transfer Agent (MTA) - FAQ
MTA Debugging and Performance Troubleshooting Toolkit
Closing the Malware Gap: The Rise of Threat Extraction
SandBlast Threat Extraction removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow. It is a new technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more - see list below).
This is a new approach for Threat Prevention: instead of determining whether a file is malicious or not, Threat Extraction cleans the file before it enters the organization. Threat Extraction prevents both known and unknown threats before they arrive to the organization, thus providing better protection against zero-day threats.
Supported file formats
Threat Extraction supports the following primary file formats. Many other formats (such as Windows Metafile) that are commonly associated with these primary formats are also supported.
Format | Extensions |
Adobe FDF | fdf |
Adobe PDF (all versions) | |
Microsoft Docfile | Microsoft Visio, Microsoft Project, etc. |
Microsoft Excel 2007 and above | xlsx, xlsb, xlsm, xltx, xltm, xlam |
Microsoft Excel 2007 Binary | xlsb |
Microsoft Excel 97 - 2003 | xls |
Microsoft PowerPoint 2007 and above | pptx, pptm, potx, potm, ppam, ppsx, ppsm |
Microsoft PowerPoint 97 - 2003 | ppt, pps, pot, ppa |
Microsoft Word 2007 and above | docx, docm, dotx, dotm |
Microsoft Word 97 - 2003 | doc, dot |
Impact
The performance impact on your gateways will hardly be noticable when simply extracting potentially malicious file contents. As always with automated file content modifications this can result and unreadable characters or file names causing to end users to request having the original email attachment released to them.
It's a different story when converting all files into PDF. Of course this option will provide your end users with the most secure and trustworthy email attachments. However, PDFs are not really editable and many end users will complain that they cannot fill out an Excel sheet as meant by the sender of the email and sometimes the PDF conversions renders the resulting file almost unreadable. You need to educate your end users to be aware of these symptoms and provide them with a link within the email to that they can retrieve the original email attachment themself.
Related SK's:
High CPU consumption due to urandom, or "Error: Threat Extraction is not responding" displayed
Thank you for the response. This is much appreciated.
We are planning to enable Threat Extraction on our Gateways. We are running two 4800s on R77.30 and a smart1-205 Management.
I hope the specifications of my current devices will be able to support Threat Extraction without a diverse impact
I don't have a perfect reply for you and am curious if other people are seeing performance issues with MTA activated on a Gateway. Three months ago I activated MTA/Threat Extraction, however I was able to dedicate hardware to use exclusively for MTA/TX because I was unsure of the performance hit on our main gateway. In practice, MTA is great and has really cleaned up some email problems for us.
Greg
I have two gateways running in cluster mode, the hardware you have dedicated for MTA/TX is one of your gateways right, or how is the deployment?
The MTA function is implemented in process space on the gateway, so just make sure the gateway cores are not extremely busy in kernel space (sy/si/hi) to avoid the MTA processes having to wait a long time for the CPU. Even if there are delays caused by this, the users don't tend to notice their email getting delayed for a few seconds.
--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY