This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Olga_Kuts
Advisor
‎2017-07-31 05:06 AM

Prevent malicious files from being written to the file system using SBA

How can I prevent malicious files from being written to the file system using a Threat Emulation blade of SandBlast Agent? In policies, I can only specify whether to emulate these files or not. 

11 Replies
PhoneBoy
Admin
Admin
‎2017-07-31 08:55 AM

Files have to be downloaded in order to be sent to Cloud or Local Emulation.

I know that SandBlast Agent for Browsers has a control as to whether the files are kept afterwords or not: Where does Threat Extraction SandBlast Agent for Browsers save original files 

0 Kudos
Lior_Arzi
Employee Alumnus
Employee Alumnus
‎2017-08-03 11:54 AM
In response to PhoneBoy

As Dameon wrote, Threat Extraction & Threat Emulation in the SBA browser extension will prevent the malicious files from getting to the disk.

SBA browser extension is an integral part of the Sandblast Agent installation you have.

nagaraja_cs
Contributor
‎2019-01-04 04:09 AM
In response to Lior_Arzi

Hi ,

If I copy the malicious file to the system through USB,what will be the case ?

Will that file be removed or we can't ?

Gal_Carmeli
Employee
Employee
‎2019-01-04 04:39 AM
In response to nagaraja_cs

Hi,

In this case, the local copy of the file will be removed, but the file on the USB will remain.

Thanks,

Gal

nagaraja_cs
Contributor
‎2019-01-04 04:57 AM
In response to Gal_Carmeli

Hi Gal,

Thanks for the reply.

How we can remove the file from the system ?

Gal_Carmeli
Employee
Employee
‎2019-01-04 09:52 AM
In response to nagaraja_cs

If you want the file to be deleted from the usb, you need to trigger on the file itself. If you double click the file on the usb drive and the trigger will be directly on that file, it will be deleted.

Thanks,

Gal

nagaraja_cs
Contributor
‎2019-01-04 08:54 PM
In response to Gal_Carmeli

Hi Gal,

I don't want to delete the file from the USB.

I want it to be deleted from the local PC,how we can delete this malicious file automatically from Sandblast when the verdict is malicious.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-04 11:24 PM
In response to nagaraja_cs

As noted in previous comments, it should not be written to the local system in the first place, so it should not need to be deleted.

Even in the case where the SBA Plugin downloads a file to send it to emulation, it is not done in a user accessible location.

Only if the file is deemed safe it is written to a user accessible location.

0 Kudos
Lior_Arzi
Employee Alumnus
Employee Alumnus
‎2021-01-09 12:35 AM
In response to nagaraja_cs

when you copy a file from USB to the local PC it is automatically sent in parallel to Threat Emulation cloud (TE).

if TE returns a malicious verdict (between a couple of sec and a couple of min, depends on the scenario), SBA will immediately delete the file.

SBA does not block the copy itself until the verdict returns. this is in order to provide a smooth user experience as the TE result can take up to a couple of min. the file is accessible immediately and is getting deleted only when a malicious verdict received from TE.

Chris_Butler
Collaborator
‎2021-09-11 09:48 AM
In response to Lior_Arzi

What are some other vectors from which a file written to the filesystem will be emulated (in parallel) not including downloading with a browser?

Save As attachment from an email in the Desktop Version of Outlook 2013?

Copying files from a file server within the same Active Directory domain to the local PC?

Creating a new Excel Document in the desktop version of Excel 2013 and doing a Save As?

Files written by a backup application like Storage Craft ShadowProtect, backup process running on one server, writing the .bkf file to another server which hosts a local backup file structure, and external backup drives, etc?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-11 01:17 PM
In response to Chris_Butler

My understanding is, assuming it is a file type we support emulation for, it would apply to all of those. 

0 Kudos