Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_Butler
Collaborator

What does File System Emulation in the Threat Emulation blade actually do and when?

I currently have R80.40 on our management server, and so I am reading the Endpoint Security R80.40 Administration Guide.

I am trying to find out what exactly the Filesystem Emulation does, and WHEN does it do it?

If you have Web Download protection set to "Do not Use" but Filesystem emulation enabled, what does that mean?

It doesn't seem like files saved to the filesystem from say, an email attachment in Microsoft Outlook Desktop application triggers a file being sent up to threat cloud, nor copying a file from a network file server to the local PC's filesystem.

Is there any better documentation as to what this component of the TE blade actually does, how it does it, and what triggers and conditions cause it to act?

 

Excerpt from the Admin Guide below for reference.

 

Web Download Protection
Define the settings for the SandBlast Agent Browser Extension to protect against malicious files that come
from internet sources. The Browser Extension is supported on Google Chrome.
The automatic options are:
n Protect web downloads with Threat Extraction and Emulation - Send files for emulation. While a file
is tested, users receive a copy of it with all suspicious parts removed. If the file is not malicious, users
receive the original file when the emulation is finished. Emulation can take up to two minutes.
n Protect web downloads with Threat Emulation - Send files for emulation. Users do not receive a
copy during the emulation. If the file is not malicious, users receive the original file when the
emulation is finished. Emulation can take up to two minutes.
n Do not use web download protection - The SandBlast Agent Browser Extension is not active.
When Threat Extraction is selected, it only applies to file types that can be extracted, such as documents.
SandBlast Agent Threat Extraction and Threat Emulation
Endpoint Security R80.40 Administration Guide | 240
When Threat Emulation is selected, it only applies to file types that can be emulated, such as executables
and scripts.
You can edit the selections manually to define more settings for Threat Extraction and Threat Emulation for
different file types.
To change the setting for categories of file types:
1. In a SandBlast Agent Threat Extraction and Threat Emulation rule, right-click the Web Download
Protection Action and select Edit Shared Action.
2. Expand the list for the type of file that you choose:
n Files that can be extracted and emulated (such as documents and pictures).
n Files that can only be emulated (such as executables and scripts).
n When neither Extraction nor Emulation is supported (such as videos).
3. Select an option for emulation and access to the original file from the options shown. Different options
show for different file types.
n Extract and suspend original file until emulation completes - Send files for emulation. While
a file is tested, the user receives a copy of it with all suspicious parts removed.
n Emulate and suspend original file until emulation completes - Send files for emulation. Users
only receive the files after the emulation finishes and the file was found to be safe.
n Emulate original file without suspending access - Send files for emulation. Users can
download and access the file while it is tested. The administrator is notified if files are found to
be malicious.
n Allow Download - No emulation or extraction. The download is allowed.
n Block Download - No emulation or extraction. The download is blocked.
4. If files are extracted, select the Extract Mode, which is the format of the extracted document that
users can see during the emulation.
n Extract potentially malicious elements -The file is sent in its original file type but without
malicious elements.
n Convert to PDF - When relevant, files are converted to PDF.
5. Click OK.
To change the setting for a specified file type, such as.zip or .pdf:
1. In a SandBlast Agent Threat Extraction and Threat Emulation rule, right-click the Web Download
Protection Action and select Edit Shared Action.
2. Click Override default file action per file type.
3. Select a file type.
4. Click in the File Action column to select a different action for that file type.
5. Click in the Extraction Mode column to select a different extraction mode for the file type.
6. Click OK.

 

File System Emulation
Define the default settings for emulation of files on the file system. The automatic options are:
n Emulate files written to file system - All files that can be emulated are automatically sent for
emulation when they are written to the file system.
n Do not emulate files written to file system - Files are not automatically sent for emulation when they
are written to the file system.
Monitoring is enabled by default for all options.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

We’re not emulating the filesystem itself, just files written to the filesystem by any app. 
If this is disabled, the only files emulated would be ones caught by the SBA/Harmony Browse extension (as I understand it).

0 Kudos
Chris_Butler
Collaborator

I have had file system emulation enabled with the Web download protection disabled for quite some time and I have never seen so much as a hesitation of any file being written to the filesystem anywhere.

How can I test it and look at a log to see what it is doing and when?

And by files written to the filesystem by any app, do you mean something as simple as opening excel and saving a new workbook? Or does the file have to have something to do with an app that is pulling files from the internet?

I am hoping to find some kind of documentation or evidence of what the setting does when enabled.

Emulating a file with the Web Download Browse extension takes at least 10 to 15 seconds minimum, so if every locally written file were to be emulated, that would become painfully obvious right? Or does it do this while allowing the file to be written immediately?

Any SK articles I can refer to?

Thanks for your quick replies, as always.

 

0 Kudos
PhoneBoy
Admin
Admin

Discussed here: https://community.checkpoint.com/t5/Endpoint/Prevent-malicious-files-from-being-written-to-the-file-... 
TL:DR; Eligible files are sent to the cloud in parallel and only deleted if a malicious verdict is returned.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events