Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Ndiba
Participant

What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

What is the impact(performance wise and other aspects) of setting Checkpoint as an MTA so as to utilize Threat Extraction?

5 Replies
Danny
Champion Champion
Champion

Threat Extraction Datasheet & Technology

Mail Transfer Agent (MTA) - FAQ

MTA Debugging and Performance Troubleshooting Toolkit

Closing the Malware Gap: The Rise of Threat Extraction


SandBlast Threat Extraction removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow. It is a new technology that removes potentially malicious features that are known to be risky from files (macros, embedded objects and more - see list below).


This is a new approach for Threat Prevention: instead of determining whether a file is malicious or not, Threat Extraction cleans the file before it enters the organization. Threat Extraction prevents both known and unknown threats before they arrive to the organization, thus providing better protection against zero-day threats.

Supported file formats

Threat Extraction supports the following primary file formats. Many other formats (such as Windows Metafile) that are commonly associated with these primary formats are also supported.

Format

Extensions

Adobe FDF

fdf

Adobe PDF (all versions)

pdf

Microsoft Docfile

Microsoft Visio, Microsoft Project, etc.

Microsoft Excel 2007 and above

xlsx, xlsb, xlsm, xltx, xltm, xlam

Microsoft Excel 2007 Binary

xlsb

Microsoft Excel 97 - 2003

xls

Microsoft PowerPoint 2007 and above

pptx, pptm, potx, potm, ppam, ppsx, ppsm

Microsoft PowerPoint 97 - 2003

ppt, pps, pot, ppa

Microsoft Word 2007 and above

docx, docm, dotx, dotm

Microsoft Word 97 - 2003

doc, dot

 

Impact

The performance impact on your gateways will hardly be noticable when simply extracting potentially malicious file contents. As always with automated file content modifications this can result and unreadable characters or file names causing to end users to request having the original email attachment released to them.

It's a different story when converting all files into PDF. Of course this option will provide your end users with the most secure and trustworthy email attachments. However, PDFs are not really editable and many end users will complain that they cannot fill out an Excel sheet as meant by the sender of the email and sometimes the PDF conversions renders the resulting file almost unreadable. You need to educate your end users to be aware of these symptoms and provide them with a link within the email to that they can retrieve the original email attachment themself.

Related SK's:

High CPU consumption due to urandom, or "Error: Threat Extraction is not responding" displayed

When Threat Extraction converts a PDF file, the output PDF file has many layers that are rendered sl...

Files are renamed by Threat Emulation and Threat Extraction with specific special characters in the ...

Daniel_Ndiba
Participant

Thank you for the response. This is much appreciated.

We are planning to enable Threat Extraction on our Gateways. We are running two 4800s on R77.30 and a smart1-205 Management.

I hope the specifications of my current devices will be able to support Threat Extraction without a diverse impact

0 Kudos
Gregory_Welch
Participant

I don't have a perfect reply for you and am curious if other people are seeing performance issues with MTA activated on a Gateway.  Three months ago I activated MTA/Threat Extraction, however I was able to dedicate hardware to use exclusively for MTA/TX because I was unsure of the performance hit on our main gateway.  In practice, MTA is great and has really cleaned up some email problems for us.  

Greg

Daniel_Ndiba
Participant

I have two gateways running in cluster mode, the hardware you have dedicated for MTA/TX is one of your gateways right, or how is the deployment?

0 Kudos
Timothy_Hall
Champion
Champion

The MTA function is implemented in process space on the gateway, so just make sure the gateway cores are not extremely busy in kernel space (sy/si/hi) to avoid the MTA processes having to wait a long time for the CPU.  Even if there are delays caused by this, the users don't tend to notice their email getting delayed for a few seconds.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events