- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hi,
Is there a minimum file size for emulation.
I tried downloading a file from eicar.com which was 68 Bytes. But it didnt get emulated, while a file size of 308Bytes got emulated from the same site.
Is this configurable in TE appliance, where we could define the minimum and maximum file size for emulation.
also, Is it possible to exclude some traffic for emulation.
Regards,
Biju
If you are running anti-virus while downloading the eicar file, it should have caught it and not have to be emulated.
Maximum file size can be configured. In R80.10 you can find it in "Manage & Settings -> Blades -> Threat Prevention -> Theat Emulation".
As far as I know, there is no lower limit, and it can't be configured
In the threat prevention policy, you decide the "Protected Scope". Here you decide what traffic you want to be inspected according to which Threat prevention profile. So if you wish that some traffic should not be emulated, you can define a new rule, with a threat prevention profile that does not run Threat emulation.
This is assuming your activation mode is According to policy (Check Open the TE unit-> Threat Emulation)
The reason for my question was I was trying to download a file from eicar.com which was 68Bytes and it didn't emulate. However a 308Bytes file got emulated. From the same website.
What could have happened that the 68Byte file didn't emulate.
Regards,
Biju Nair
Sent from my iPhone
I'm not sure. Was it the HTTPS file maybe and you are not running HTTPS inspection?
What does your traffic logs say?
It was a http traffic. I forgot to mention one thing that the http traffic is actually from the proxy via ICAP to TE device.
To answer u.... In the firewall log it shows the ICAP traffic from proxy and then in the emulation log it doesnt show anything.
Regards,
Biju Nair
Sent from my iPhone
You can set the maximum file size here (in R80.10):

Hi - Please see the AV/AB logs in case enabled, it might have processed with these blades before the file could be emulated.
Nope. AV blade currently is not offically available in ICAP - so that can´t be the issue.
Did you check access.log of the ICAP server to be sure the EICAR.COM is really passed to us ?
access.log is stored in $FWDIR/log/c-icap/
It is advisable to change the logformat before consulting the log otherwise you won´t "see" much infos in this log.
To extend logging do the following:
1) vi /opt/CPsuite-R77/fw1/c-icap/etc/c-icap.conf
2) Search for “AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log”
3) Add this line before the abaove finding:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
4) Change the AccessLog line to:
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat
So the section in c-icap.conf should now look like this:
LogFormat accessFormat "%tl, %la %a %im %iu %is %huo '%<ho' '%{X-Infection-Found}<ih'"
AccessLog /opt/CPsuite-R77/fw1/log/c-icap/access.log accessFormat
So the troubleshooting flow should be:
1) Do you see the file from the proxy to our ICAP server in access.log
2) Do you see the file being handled in $FWDIR/log/ted.elg
Regards Thomas
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 22 | |
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY