cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Dan_Roddy
Copper

Threat Emulation Exceptions

I have noticed we are emulating far too many files for our 250,000 file limit.  Not long ago I decided we did not need to emulate Windows.update files AND secureupdate.checkpoint.com files.  I created exceptions for our Endpoint client but sadly they are still being emulated.  Has anyone else tried to reduce their emulation load and noticed this behavior?

Many thanks for your support,

Dan Roddy

5 Replies

Re: Threat Emulation Exceptions

In the relevant Threat Prevention profile under Threat Emulation...Advanced, do you have "disable static analysis" checked?  If so uncheck it as having that set will cause the firewall to blindly send every single file encountered for full emulation, even if that specific file has been seen (and emulated) before.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Dan_Roddy
Copper

Re: Threat Emulation Exceptions

Thanks Tim, I do have your First and Second Edition...however I forgot to add an important detail about my post...all the Threat Emulations I am referring to take place on Capsule Cloud (sorry bout that).  I put the exceptions into Endpoint Client for Sandblast, did I goof?

0 Kudos

Re: Threat Emulation Exceptions

No that should work, you probably need to engage with TAC who will have to the tools to figure out why your emulation rate is so high.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Dan_Roddy
Copper

Re: Threat Emulation Exceptions

OK, we are blazing through our Threat Emulation quota and capsule cloud is ignoring my emulation bypass configuration for Windows update and Symantec Live Updates.  I know, this will result in more revenue for Checkpoint but think about the performance hit emulation is taking in the cloud.  Who agrees with me that threat emulation is NOT needed on these two applications.

Re: Threat Emulation Exceptions

Hello Dan,

Could you figure out why your TE was not bypassing the exception?

Regards

0 Kudos