cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Admin
Admin

How do I verify Threat Emulation is working?

Jump to solution

We offer a test you can access from behind your Security Gateway where Threat Emulation is enabled to ensure it is working:

  • Threat Emulation Test -- A link to a DOC with an exploit that will not harm your computer. Will show as Exploited Document in logs.

Related:

  • Anti-Virus Test -- Downloads the standard EICAR AV test file
  • Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs.
1 Solution

Accepted Solutions

Re: How do I verify Threat Emulation is working?

Jump to solution

@miguel 

I think that the explanation is on the behavior analytic engine of Sandblast, same happens with antivirus such as Cylance: EICAR is not being detected because it actually does nothing on your system. In other words it doesn't trigger any indicator of compromise.

I would recommend you try these solutins with real malware from The Zoo Project (https://github.com/ytisf/theZoo) if you want to go beyond you can even modify the binaries so the hash is new.

Handle with care since it's real malwre 🙂

Hope it helps 

____________
https://www.linkedin.com/in/federicomeiners/

View solution in original post

0 Kudos
5 Replies

Re: How do I verify Threat Emulation is working?

Jump to solution

Thanks for the test tip, Dameon!

Also CP's CheckMe is a good option for this http://www.cpcheckme.com/checkme/

Regards,

Admin
Admin

Re: How do I verify Threat Emulation is working?

Jump to solution
Also a good test.
Highlighted
chico
Nickel

Re: How do I verify Threat Emulation is working?

Jump to solution

Hello,

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade  as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?

 

Regards,

 

Miguel

0 Kudos

Re: How do I verify Threat Emulation is working?

Jump to solution

@miguel 

I think that the explanation is on the behavior analytic engine of Sandblast, same happens with antivirus such as Cylance: EICAR is not being detected because it actually does nothing on your system. In other words it doesn't trigger any indicator of compromise.

I would recommend you try these solutins with real malware from The Zoo Project (https://github.com/ytisf/theZoo) if you want to go beyond you can even modify the binaries so the hash is new.

Handle with care since it's real malwre 🙂

Hope it helps 

____________
https://www.linkedin.com/in/federicomeiners/

View solution in original post

0 Kudos
chico
Nickel

Re: How do I verify Threat Emulation is working?

Jump to solution

Hi,

Thanks you for reply,

 

Ha yes I understood, in the threat emulation, the document is emulated in various OS systems to check if there are abnormal behaviors. Effectively ICAR doesn't do anything it's a simply signature...so it's detected by the anti-virus signature.

 

Thank you for the link.

0 Kudos