This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ben-Zion_Josels
Participant
‎2017-12-30 07:21 AM

Too few file types are inspected by default by SandBlast

While configuring various settings in my locally-managed 1430 appliance (Firmware R77.20.60), I was surprised to find the following Threat Prevention Engine default Settings:

Anti-Virus Blade scans HTTP, FTP, Mail (SMTP and POP3 but not IMAP).
 File types policy: Process file types known to contain malware.

Threat Emulation Blade (SandBlast) - does not scan FTP. Scans HTTP and Mail SMTP only.
 File types default policy:

Inspect .doc, .docx, .pdf, .ppt, .pptx, .xls, .xlsx, only.
Bypass all other file extensions/types, including .exe, .rar. .zip etc.

So it seems Check-Point experts consider Threat Emulation (SandBlast) as redundant, and rely more strongly on Anti-Virus scanning most file types capable of containing malware.

Please recommend whether I should add several file extensions/types to the very limited group that are scanned by default by the Threat Emulation Blade.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2018-01-04 08:41 AM

This is more of an https://community.checkpoint.com/community/infinity-general/smb-smp?sr=search&searchId=e1a20842-4ea5...‌ question.

My guess is the defaults chosen for the 1400 Series appliances are related to the limited resources available on these appliances.

The more file types you choose to scan, the more connections that will potentially need to be held while files are emulated.

0 Kudos
Miri_Ofir
Employee
Employee
‎2018-01-04 12:29 PM

The SMB appliance uses the same deafults as in R80.10 smart console. You can add easily additional file types. 

Which addtional file types do you want to see by default?

In R77.20.70 you can configure SSL inspection and to have all threat prevention blades incluing threat emulation over HTTPS protocol.

In the upcoming releases, POP3 and more email protocols will be supported. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events