Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

Threat Emulation Exceptions

I have noticed we are emulating far too many files for our 250,000 file limit.  Not long ago I decided we did not need to emulate Windows.update files AND secureupdate.checkpoint.com files.  I created exceptions for our Endpoint client but sadly they are still being emulated.  Has anyone else tried to reduce their emulation load and noticed this behavior?

Many thanks for your support,

Dan Roddy

8 Replies
Highlighted
Champion
Champion

In the relevant Threat Prevention profile under Threat Emulation...Advanced, do you have "disable static analysis" checked?  If so uncheck it as having that set will cause the firewall to blindly send every single file encountered for full emulation, even if that specific file has been seen (and emulated) before.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted
Collaborator

Thanks Tim, I do have your First and Second Edition...however I forgot to add an important detail about my post...all the Threat Emulations I am referring to take place on Capsule Cloud (sorry bout that).  I put the exceptions into Endpoint Client for Sandblast, did I goof?

Highlighted
Champion
Champion

No that should work, you probably need to engage with TAC who will have to the tools to figure out why your emulation rate is so high.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted
Collaborator

OK, we are blazing through our Threat Emulation quota and capsule cloud is ignoring my emulation bypass configuration for Windows update and Symantec Live Updates.  I know, this will result in more revenue for Checkpoint but think about the performance hit emulation is taking in the cloud.  Who agrees with me that threat emulation is NOT needed on these two applications.

Highlighted
Contributor

Hello Dan,

Could you figure out why your TE was not bypassing the exception?

Regards

Highlighted
Participant

I’m having issues with TE\TX and not being able to add exceptions for specific sites. The issue I’m experiencing is mainly down to the time it is taking for emulation to complete. As an example, a 200K PDF is taking between 8-12 minutes to complete which is not ideal (Cloud Emulation not on prem).

I have tried adding exceptions to the threat prevention policy although this doesn’t not appear to work. It would be amazing if this worked or if there was functionality to bypass specific sites or utilise the application control objects within the threat preventions policy.


If anyone has any working exceptions then please holla.


Thanks
Matt

Highlighted
Contributor

Our Endpoint Client is randomly ignoring "Disable Threat Emulation" settings in the Policy tab. 

 

What in god's name is going on? 

I am seeing the sandblast add-in for browsers getting instantiated in Chrome and the CPEP overview dialog box shows Threat Emulation and Anti-Exploit as ON, then off again.

 

Threat Emulation plugin shows up in the browser UI in Chrome and all PDFs are being emulated on download attempt even if you are going to the same link and downloading the same file again.

I tried upgrading the client to the latest version and re-pushed policy and it is still happening. inconsistently but often 

Endpoint is Killin me....  It's always seeming to want to drive me batty.

Client OS is Windows 10 1909 with CPEP Client 82.10 installed 

Management Server is running 80.30 Gaia 3.10 Jumbo Hotfix Accumulator for Security Management (Take 111) and Smart Console / Smart Endpoint console is build 36.

I don't want to have to push out a deployment rule to remove the blade completely but that seems to be the only option. 

I will try enabling the blade in policy and using exceptions to see if maybe that works now, because it never did before

Emulation seems to be happening with Chrome most of the time, and IE 11 not so much.

The particular use case I am testing this on is when Chrome is the default Web browser and you click on a link in an email in Outlook 2013 Pro Plus. 

 

I have another end user who has IE as the default browser, and he was still seeing emulation happening, though he is in a policy rule which disables Threat Emulation completely as well.

 

This is problematic because we have a Citrix Workspace based web application we need to use to reach our invenstment bankng account managment system at UBS and it breaks the ability for the ConsultWorks app to launch the .ica file that launches it once you log into the portal.

😞

 

 

Highlighted
Contributor

I am working with TAC, and I am told that E82.20 client fixes the behavior.

I am deploying new workstations with that client now and will report back to TAC and here if this is indeed fixed.

 

0 Kudos
Reply